HIPAA has a Security Rule Too!
Everyone working in healthcare knows about the privacy side of the Health Insurance Portability and Accountability Act (HIPAA) but there is also a security side too!
The Privacy Rule sets the standards for, among other things, who may have access to electronic protected health information (ePHI). While the Security Rule sets the standards for ensuring only those who should have access to ePHI will actually have that access.
The Privacy Rule also requires Covered Entities (CEs), and in certain circumstances their Business Associates (BAs), to have in place appropriate Administrative, Physical, and Technical safeguards and to implement those safeguards reasonably. When Health & Human Services (HHS) developed the Security Rule, they chose to closely follow their requirements in the Privacy Rule.
The Privacy and Security Rules Compared
Some of the primary distinctions between the two rules are as follows:
Electronic vs. oral and paper PHI:
The Privacy Rule applies to all forms of patients’ PHI, whether electronic, written, or oral. In contrast, the Security Rule covers only PHI that is in electronic form. This includes all ePHI that is created, received, maintained or transmitted.
For example, ePHI may be (this list is not all-inclusive):
• Transmitted over the Internet
• Stored on a computer
• On a CD
• On a disk
• Magnetic tape
• Other storage devices
The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.
Why is Security Important in Healthcare:
Every day physicians, nurses, medical staff as well as administrative employees use web-based and clinical applications to access ePHI on computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems.
While this means the healthcare workforce can be more mobile and efficient (i.e., physicians can check patient records and test results remotely), the rise in the adoption rates of these technologies is creating an increase in potential security risks.
The Security Rule requires all CEs and their BAs to evaluate the risks and vulnerabilities in their environments and to implement policies and procedures to address those risks and vulnerabilities. They are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.
YOUR security risk analysis process is an opportunity to learn as much as possible about health information security. Don’t ignore YOUR need to be HIPAA compliant! Any device or media that contains ePHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!
Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
COMING IN JUNE!!
Join HIPAA alli for our live webinar where we provide valuable information on a range of HIPAA compliance related topics and allow attendees to gain insider insight and learn industry best practices.