Does your organization currently handle Personal Health Information (PHI) and Personally Identifiable Information (PII)?
Do you need to be compliant with the HIPAA Security Rule? Are you not sure?
What does the HIPAA Security Rule Require?
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Confidentiality
The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:
Its size, complexity, and capabilities,
Its technical, hardware, and software infrastructure,
The costs of security measures, and
The likelihood and possible impact of potential risks to e-PHI.
Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.
.
Let TranscendentIT help Implement HIPAA Security Rule Safeguards
Technical safeguards include:
- Access control
- Audit controls
- Integrity
- Person or entity authentication
- Transmission security
Administrative safeguards include:
- Security management process
- Assigned security responsibility
- Workforce security
- Information access management
- Security awareness and training
- Security incident procedures
- Contingency plan
- Evaluation
- Business associate contracts and other arrangements
