This is a sample from the lesson
You can take this lesson in its entirety by creating an account. You pay for your lessons/exams either before or after taking them. Your state CEUs and/or NCRA PDCs will only be valid after you pay for the lesson.
HIPAA 4: Security and FAQ
HIPAA Security Rule
Â
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.
Â
To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
Â
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
Â
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called âcovered entitiesâ must put in place to secure individualsâ âelectronic protected health informationâ (e-PHI).
Â
Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Â
Included in this lesson is a description of the three categories of organizations that HIPAA laws and rules apply to, Covered Entities and their Workforce, Business Associates, and Sub-Contractors and Agents. It also includes the support staff of Business Associates.
Â
This lesson is divided into four parts:
The HIPAA Privacy Rule Summary
HIPAA Privacy Standards and The Sample Business Associate Contract
HIPAA Privacy Rule Frequently Asked Questions
The HIPAA Security Rule and Security FAQ
Â
Who do HIPAA rules apply to?
Â
Covered Entities are required to follow HIPAA laws and regulations. An example of a covered entity is an insurance company or hospital. A more detailed description of covered entities is provided later in the lesson.
Â
Attorneys fall into the category of Business Associates for the purposes of HIPAA regulations. A business associate is someone who is required to have a Business Associate Contract with a Covered Entity.
Â
While court reporters are not generally considered to be a Business Associate of a Covered Entity, the attorneys they work for are required to have a Business Associate Contract. This is because the court reporter is an agent or sub-contractor of the Attorney Business Associate.
Â
The Attorney Business Associate is required to signHIPAAâs recommended Business Associate Contract with the Covered Entity to ensure the Court Reporter is in compliance with HIPAA regulations.
Â
If the court reporter has a contract directly with a Covered Entity, they may be considered a Business Associate.
Â
This is a summary of key elements of the Security Rule, including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.
Â
Prior to HIPAA, no generally-accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically-based functions.
Â
Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications.
Â
While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.
Â
A major goal of the Security Rule is to protect the privacy of individualsâ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.
Â
Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entityâs particular size, organizational structure, and risks to consumersâ e-PHI.
Â
Who is covered by the Security Rule
Â
The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the âcovered entitiesâ).
Â
Business Associates
Â
The HITECH Act of 2009 expanded the responsibilities of business associates under the Privacy and Security Rules. HHS is developing regulations to implement and clarify these changes.
Â
What Information is Protected
Â
Electronic Protected Health Information.
Â
The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule and here.
Â
The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information âelectronic protected health informationâ (e-PHI).
Â
The Security Rule does not apply to PHI transmitted orally or in writing.
Â
General Rules
Â
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Â
Specifically, covered entities must:
Â
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by their workforce.
Â
The Security Rule defines âconfidentialityâ to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.
Â
The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, âintegrityâ means that e-PHI is not altered or destroyed in an unauthorized manner. âAvailabilityâ means that e-PHI is accessible and usable on demand by an authorized person.
Â
HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entityâs business, as well as the covered entityâs size and resources.
Â
Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:
Â
Its size, complexity, and capabilities,
Its technical, hardware, and software infrastructure,
The costs of security measures, and
The likelihood and possible impact of potential risks to e-PHI.6
Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.
Â
Risk Analysis and Management
Â
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
Â
A risk analysis process includes, but is not limited to, the following activities:
Â
Evaluate the likelihood and impact of potential risks to e-PHI;
Â
Implement appropriate security measures to address the risks identified in the risk analysis;
Â
Document the chosen security measures and, where required, the rationale for adopting those measures;
and
Maintain continuous, reasonable, and appropriate security protections.
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
Administrative Safeguards
Â
Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Â
Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
Â
Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
Â
Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI.
Â
A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.