From Policy to Practice: A Practical Guide to Implementing HIPAA Security

White Paper
From Policy to Practice: A
Practical Guide to Implementing
HIPAA Security SafeguardsWhite Paper
AbstractHIPAA requires a number of administrative, technical, and physical safeguards to protect patient information that is stored and exchanged, both in paper and electronic form. These technical safeguards recommend implementation of solutions for access control, data integrity, person or entity authentication, transmission security, and to ensure compliance. Although there are no one-size-fits-all solutions to HIPAA compliance, there are some common sense information security strategies to help comply with these regulations. These strategies include understanding the intention of HIPAA, the spirit in which it was written, and applying them to the particular needs of your organization. This document outlines the Act's main points, describes strategies for implementation, highlights pitfalls to avoid, and explains how SecureZIP can aid compliance. Please note this whitepaper is for general information purposes only and does not constitute legal advice.
2 Copyright© 2004 PKWARE, Inc. and its licensors. All rights reserved. Trademarks of other companies mentioned in this documentation appear for identification purposes only and are property of their respective companies. SecureZIP is a trade mark and PKZIP is a registered trade mark of PKWARE, Inc.White Paper
IntroductionThe security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the protection of medical records and other personal health information created or maintained by healthcare providers, health plans, hospitals, health insurers and healthcare clearinghouses. HIPAA regulations apply to patient health information in all its forms, both paper and digital, and require sound business practices as well as electronic safeguards to protect the confidentiality of information. Healthcare organizations and individuals face stiff penalties and lost reputations if they fail to comply with government requirements for safeguarding protected health information as prescribed by HIPAA.
Originally, HIPAA was focused on the "portability" aspect of its requirements. The act was initially intended to protect the confidentiality of pre-existing conditions to prevent a person from being denied coverage when he or she changed group insurance plans or moved to a new job. However, in recent years, healthcare organizations-like many other companies-have been leveraging the Internet and other computer technologies to streamline their business processes and become more profitable. As a result, HIPAA has expanded its reach to protect all patient information that is stored or exchanged electronically. This means that not only healthcare organizations such as hospitals, insurance companies, and clearing houses are subject to HIPAA requirements, but any organization that has an HR department which processes employee medical information electronically.
When they speak about complying with HIPAA, most organizations refer to HIPAA's final rule-the Security Rule. Whereas the prior Privacy Rule concerns itself with defining the type of information that must be protected and applies to data in any form, the Security Rule addresses how electronic data is to be protected in electronic form. This description of how is what most concerns IT and IS managers.
General requirements of the Security Rule are as follows:
HIPAA 164.36 General Requirements
"Covered entities must do the following:
1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.3. Protect against any reasonably anticipated uses or disclosures of such information.4. Ensure compliance by its workforce."
3 Copyright© 2004 PKWARE, Inc. and its licensors. All rights reserved. Trademarks of other companies mentioned in this documentation appear for identification purposes only and are property of their respective companies. SecureZIP is a trade mark and PKZIP is a registered trade mark of PKWARE, Inc.White Paper
Three safeguards are described in this final Security Rule. They include administrative, physical, and technical safeguards. As mentioned above, sound bu... [download for more]