|
HIPAA requires a number of administrative, technical, and physical safeguards to protect patient information that is stored and exchanged, both in paper and electronic form. These technical safeguards recommend implementation of solutions for access control, data integrity, person or entity authentication, transmission security, and to ensure compliance.
Although there are no one-size-fits-all solutions to HIPAA compliance, there are some common sense information security strategies to help comply with these regulations. These strategies include understanding the intention of HIPAA, the spirit in which it was written, and applying them to the particular needs of your organization. This document outlines the Act's main points, describes strategies for implementation, highlights pitfalls to avoid, and explains how SecureZIP can aid compliance. Please note this whitepaper is for general information purposes only and does not constitute legal advice.
Introduction
The security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the protection of medical records and other personal health information created or maintained by healthcare providers, health plans, hospitals, health insurers and healthcare clearinghouses. HIPAA regulations apply to patient health information in all its forms, both paper and digital, and require sound business practices as well as electronic safeguards to protect the confidentiality of information. Healthcare organizations and individuals face stiff penalties and lost reputations if they fail to comply with government requirements for safeguarding protected health information as prescribed by HIPAA.
Originally, HIPAA was focused on the "portability" aspect of its requirements. The act was initially intended to protect the confidentiality of pre-existing conditions to prevent a person from being denied coverage when he or she changed group insurance plans or moved to a new job. However, in recent years, healthcare organizations-like many other companies-have been leveraging the Internet and other computer technologies to streamline their business processes and become more profitable. As a result, HIPAA has expanded its reach to protect all patient information that is stored or exchanged electronically. This means that not only healthcare organizations such as hospitals, insurance companies, and clearing houses are subject to HIPAA requirements, but any organization that has an HR department which processes employee medical information electronically.
When they speak about complying with HIPAA, most organizations refer to HIPAA's final rule-the Security Rule. Whereas the prior Privacy Rule concerns itself with defining the type of information that must be protected and applies to data in any form, the Security Rule addresses how electronic data is to be protected in electronic form. This description of how is what most concerns IT and IS managers.
General requirements of the Security Rule are as follows: HIPAA 164.36 General Requirements "Covered entities must do the following:
1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information.
4. Ensure compliance by its workforce."
Three safeguards are described in this final Security Rule. They include administrative, physical, and technical safeguards. As mentioned above, sound business processes such as developing organizational policies, workforce security and training, and performing periodic evaluations should be implemented that protect administrative procedures. Popular physical safeguards include controlling access to facilities, workstation security, and device and media controls. Technical safeguards address access control, audit controls, data integrity, authentication, and transmission security. While not everything mentioned in the safeguards is required, organizations that do not implement suggested measures must be able to justify why it is not feasible or necessary for their particular environment.
Implementation-What's Right for Your Organization?
The good news in the midst of all these rules and regulations is that HIPAA is also explicitly "technology neutral." There is no single solution that is required for compliance. The act instead suggests that each organization analyze such variables as its size and technological capabilities as well as realistic risk factors to come up with an approach that will reasonably protect the information under its trust.
Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
|
