Prior to the HIPAA act, there were no security standards or requirements for the protection of health information. As technology evolved, the healthcare industry began to rely more heavily on the use of electronic systems for record keeping, payments and other functions.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. This requirement was fulfilled by the HIPAA Privacy Rule and the HIPAA Security Rule.
The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information protected health information (PHI).
PHI is information, including demographic data, that relates to an individual’s past, present or future physical health, mental health or condition and past, present, or future payment for the provision of healthcare that identifies the individual or a reasonable basis to believe it can be used to identify an individual. Individually identifiable health information includes common identifiers such as name, address, date of birth and Social Security Number. (OCR HIPAA Privacy 2003)
The HIPAA Privacy Rule applies to all forms of protected health information.
The HIPAA Security Rule requires covered entities to maintain appropriate administrative, technical and physical procedures to assure the confidentiality, integrity and availability of protected health information (e-PHI). (Centers for Medicare & Medicaid Services, 2013)
Specifically, a covered entity must:
- Ensure the confidentiality, integrity and availability of all PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
The HIPAA Security Rule applies to only protected health information that is in electronic form.
The HITECH Act of 2009 expanded the responsibilities of Business Associates under the Privacy and Security Rules. Currently, Business Associates of a covered entity must also comply with HIPAA Security Rules.
Covered Entity is defined as:
A health care provider that conducts certain transactions in electronic form
A health care clearinghouse
A health plan
Business Associate is defined as:
A person or entity, other than a covered entity’s workforce, who performs functions or activities on behalf of, or provides certain services to a covered entity that involve access to protected health information. Business Associate activities or functions on behalf of a covered entity include: claims processing, data analysis, utilization review and billing. Business Associate services to a covered entity are limited to legal, accounting, management, administrative, accreditation, actuarial or financial services.
HIPAA Security Standards are divided into the following categories:
Administrative Safeguards – Administrative functions that should be implemented to meet the security standard. These include delegation or assignment of security responsibility and security training requirements.
Physical Safeguards – Provisions required to protect electronic systems, equipment and the information they hold, from threats, unauthorized intrusions and environmental hazards. They include restricting EPHI access and retaining offsite computer backups.
Technical Safeguards – Primarily the automated processes used to protect and control access to data. They include authentication controls and encrypting and decrypting data as it is stored or transmitted.
Each standard includes an “implementation specification”, which includes details for implementing a particular standard.
We have added a PDF to the Compliance section of our resources page that includes the security standards and implementation specifications for each. Specifications are categorized as required or addressable. If no implementation specification is listed for a standard, compliance with the standard is required. It is important to keep in mind that items listed as addressable are not optional. The Security Rule was created to be scalable and flexible, to allow for compliance under unique circumstances, based on size and environment.
Be sure to add our Blog to your bookmarks! Our next article in the series will focus on Gramm-Leach-Bliley Act (GLBA) compliance.