Tuesday, June 2, 2015

HIPAA Security Basics

Security Rule Principles

It is advisable to periodically review the principles of the HIPAA Rules to remind ourselves of the importance of the regulations. Here we will review the principles of the Security Rule.

The Security Rule is based on three principles: comprehensiveness, scalability and technology neutrality.

·         Comprehensiveness
This refers to the fact that the Security Rule addresses all aspects of security.  This means that security measures address confidentiality, data integrity, and availability.

·         Scalability
This assures that the Security Rule can be effectively implemented by covered entities of all types and sizes.

·         Technology neutrality
This means the Security Rule does not define specific technology requirements, thereby allowing covered entities to make use of future technology advancements.

The Privacy Rule is pervasive and impacts virtually every aspect of operations.  The Security Rule is even more pervasive.  It must be understood and practiced by every person in the office. 

Privacy and Security are tightly linked.  The following chart shows the similarities between the Privacy and Security standards.

Privacy Standard                                               Complementary Security Standard

Minimum Necessary                                              Information Access Management Access Controls

Verification of Identity and Authority                Person or Entity Authentication

Sanction Policy                                                        Sanction Policy

Training                                                                    Training

Business Associate Contracts                               Business Associate Contracts

Policies and Procedures                                        Policies and Procedures

Privacy Compliance Officer                                 Security Compliance Officer

Uses and Disclosures                                             Information System Activity Review

Complaints to the Covered Entity                       Evaluation, Incident Procedures

Safeguards                                                                Facility Access Controls
                                                                                    Workstation Security
                                                                                    Device and Media Controls

The Security Rule is not just about technical controls; it is about people doing what they are supposed to do.  It is focused on PHI when it is maintained in your computer systems and as it is transmitted throughout an internal or external network or in any other “electronic media”.  The Security Rule standards safeguard ePHI (electronic PHI) from unauthorized access, alteration, deletion, and transmission.

You should be able to fit the Security Rule to your needs – whether you have a small office or a large clinic.  The Security Rule emphasizes being reasonable and appropriate.

Reasonable and Appropriate
The Security Rule specifically provides factors to be considered when determining which security measures to be used.  These measures are:

·         Size, complexity, and capabilities
·         Technical infrastructure, hardware, and software security capabilities
·         Costs of security measures
·         Probability of potential risks to ePHI

The Security Rule cautions that the cost is not meant to free covered entities from the adequate security measures responsibility.

Risk Analysis and Risk Management
The Security Rule specifies that you must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI your practice holds and implement security measures that are reasonable and appropriate to reduce risks and vulnerabilities to an acceptable level.

Technology Neutral
The concept of technology neutrality is based on the fact that information technology changes very rapidly.  A technology neutral standard allows the Security Rule to be stable, yet flexible enough to take advantage of the newest technologies available.