Whereas the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ePHI), which is essentially a subset of what the HIPAA Privacy Rule encompasses. In terms of actual regulatory text the HIPAA Security Rule only spans approximately 8 pages, which is the good news. The bad news is the HIPAA Security Rule is highly technical in nature. For all intents and purposes this rule is the codification of certain information technology standards and best practices. Show
Broadly speaking, the HIPAA Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the HIPAA Privacy Rule. That said, creating the necessary HIPAA Security Rule documentation will likely prove significantly more "vexing" than its Privacy Rule counterpart, especially for small providers. Health information technology (HIT) resources should be available for these types of projects. Carlos Leyva explains Attacking the HIPAA Security Rule!
Get our FREE HIPAA Breach Notification Training! In short, small providers will almost certainly need to hire HIT consultants if they want to "reasonably and appropriately" comply with the HIPAA Security Rule. Given this reality, we simply present the general rule and the standards captured in the enumerated safeguards, with brief commentary that hopefully explains in lay terms what a particular standard means. A given standard usually has implementation specifications associated with it. We have opted not to discuss the HIPAA Security Rule specifications (only the standards) since it is our belief that any attempt at paraphrasing the specifications would only add to the confusion. Our guiding principle with respect to this rule is "implement the necessary safeguards." We readily admit that this is much easier said than done, since the real challenge lies in defining "necessary." As discussed below in the general rule, the HIPAA Security Rule attempts to provide some "flexibility" in this regard (an apparent acknowledgement of the challenges faced by small providers), but as a practical matter does not otherwise significantly reduce the burden of implementation, in our opinion. The provider compliance date for the security standards was April 20, 2005 (§164.318). The HIPAA Security Rule is contained in sections §164.302 through §164.318. § 164.302 ApplicabilityA Covered Entity must comply with the standards and implementation specifications contained herein. § 164.304 DefinitionsIntroductory Comment: The definitions below are a paraphrased subset of all the definitions contained in the HIPAA Security Rule. The omitted definitions, by and large, are technical terms that are useful for interpreting the implementation specifications. Since we have omitted any discussion of the specifications there is no need to define the technical terms related to them. Access Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. Administrative safeguards Administrative safeguards are administrative actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the Covered Entity's workforce in relation to the protection of that information. Confidentiality Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes. Physical safeguards Physical safeguards are physical measures, policies, and procedures to protect a Covered Entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Technical safeguards Technical safeguards mean technology and the policy and procedures for its use that protect electronic health information and control access to it. Questions about HIPAA Compliance in this post HITECH/Omnibus Final Rule world? Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist. © 2009-2022 3Lions Publishing, Inc. HIPAA Administrative SafeguardsThe HIPAA Security Rule is a set of regulations intended to protect the security of electronic Protected Health Information (ePHI) in order to maintain the confidentiality, integrity, and availability of ePHI. This is achieved by implementing proper administrative, physical, and technical safeguards. In this three part series, we'll take time to examine each of these safeguards. The bulk of the Security Rule is focused on administrative safeguards. In this post, we will look at a detailed look at the different types of administrative safeguards the HHS requires in order to comply with HIPAA. Administrative Safeguards are policies and procedures that are implemented to protect the sanctity of ePHI and ensure compliance with the Security Rule. These requirements cover training and procedures for employees regardless of whether the employee has access to protected health information or not. The HHS intentionally wrote flexible implementation into the Security Rule. At times, they built clear and specific guidelines to follow for implementation, but with other safeguards, they left the details of executing that piece in the hands of the Privacy Officer at each organization. The two types of standards underneath the Security Rule are “Addressable Standards” and “Required Standards.” These standards include: Security Management Process
Assigned Security Responsibility (R)The purpose of Assigned Security Responsibility is to identify who will be operationally responsible for assuring that the covered entity complies with the Security Rule. There are no separate implementation specifications for this standard. The standard requires that covered entities select a security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule. It’s important to note that a covered entity can make one person both the Security Officer and Privacy Officer. Also, other individuals in the covered entity may be assigned specific security responsibilities, but one should be selected as the main person responsible. Workforce Security
Information Access Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Evaluation (R)Covered entities must implement ongoing monitoring and evaluation plans. Covered entities must periodically evaluate their strategy and systems to ensure that the security requirements continue to meet their organizations’ operating environments. Business Associate Contracts and Other ArrangementsWritten Contract or Other Arrangements (R): Have Business Associate Agreement (BAA) Contracts and Other Arrangements signed that meets the applicable requirements of the Organizational Requirements. The agreed contracts are used to confirm that both parties will be HIPAA compliant in their use of any PII or PHI--both physical and digital/electronic. What are the administrative safeguards outlined in the security Rule?The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in ...
What are the three types of safeguards for the security rule?The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical.
What are examples of administrative safeguards?Some examples of administrative safeguards are:. Policies and Procedures – a good example of this would be how you document when an employee is either hired, or terminated. ... . Staff Training Programs – When you hire a new employee, do you do HIPAA awareness training?. What is not covered by the security rule?For example, messages left on answering machines, video conference recordings or paper-to-paper faxes are not considered ePHI and do not fall under the requirements of the Security Rule.
|