Apr 27, 2010

HIPAA Security Rule

Categories: HIPAA, HIPAA Security
Written By: admin

HIPAA Security Rule was completed in 2003 and institutions were required to be in compliance with it by April 2005. Unlike privacy rule, which pertains to all the information that’s protected under HIPAA, security rule is deals with electronically stored information of patients’ health records.

There are three main kinds of security rules:

  • Administrative Safeguards – These include the following steps
    1. Covered entities must have privacy procedures and a privacy officer.
    2. All the procedures must identify the employees who have the access to electronic protected health information (EPHI). This access should be restricted to just those employees who need it to perform their job productively.
    3. Authorization, termination establishment and modification must be defined extensively
    4. Training to handle PHI must be given to employees who will be performing the administrative functions.
    5. Institutes which outsource their processes must ensure that the third-party also complies with HIPAA requirements.
    6. All entities must put a contingency plan in place for emergencies. All the data must have a backup and there should also be disaster recovery procedures.
    7. The entities should conduct internal audits to identify potential violations.
  • Technical Safeguards – These safeguards enable covered entities to secure all the communication regarding PHI and control the access of people to computer systems containing PHI. Following are the requirements of these safeguards:
    1. The systems which contain PHI should be protected and secured from any type of intrusions. Information that goes through an open network must possess some kind of encryption.
    2. The data should not be changed or deleted by any unauthorized person or body.
    3. While integrating data, methods like data corroboration should be used. All the covered entities should identify other entities to which the data or information is communicated.
    4. All the HIPAA practices by covered entities should be documented and must be made available to government.
    5. Information technology documentation should include record of every configuration setting of the network.
  • Physical Safeguards – These safeguards control physical access and protect the data against illegal access. Following are the requirements of these safeguards:
    1. Introduction or removal of software and computer hardware should be controlled. The equipment must be disposed only after ensuring that no protected data falls in wrong hands.
    2. Covered entities should control and monitor the access to computers and other systems that contain health information.
    3. Facility security plans, visitors, records, etc. all should be monitored.
    4. The entities should create policies to ensure right usage of workstations.

Related Hipaa Posts

Leave a Reply

Browse Posts By Category

Choose a category below to browse and subscribe to specific content.

Subscribe

Stay updated with Hipaa.In via RSS (Syndicate).

Featured & Popular Articles