Digital Age MD

Compliance Tools for the Digital Age

 
HIPAA Security Standards PDF Print E-mail

The HIPAA Security Standards apply to all protected health information (PHI) that is transmitted by or maintained in electronic media.  Electronic PHI, or EPHI, includes not only electronic health records (EHRs), but also PHI that is sent via email, transmitted to a clearinghouse in an electronic file, or faxed by a computer-to-computer fax system.  It does not include PHI that is faxed over a phone line.  The Security Standards apply to health plans, healthcare clearinghouses, and health care providers who maintain or transmit EPHI.


A health care provider with EPHI must use reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of EPHI.  In using the terms "reasonable and appropriate", the Dept. of Health and Human Services (HHS) means to indicate that the protections required under the Security Standards are "scalable" to the scope of the provider's operations.  For example, a large hospital with a full-scale inpatient EHR and its own IT department will be expected to expend more money and time assuring compliance with the Security Standards than a physician practice that uses EPHI only for billing and registration.  However, the practice will still be expected to take reasonable measures to protect its EPHI, based on its particular risks.  This means not only preventing unauthorized access and disclosure, but also protecting EPHI from improper alteration or loss of data.

HHS has used an unusual format in establishing the Security Standards.  The Standards consist of broad policy-type statements, followed by specific implementation specifications.  HHS has designated some of the implementation specifications as required, and some as addressable.  "Addressable" does not mean optional, however.  The practice still must meet the general policy goal, but may use a method other than the specific means described in the addressable implementation specification.

Administrative safeguards include:

 

  • implementing a security management process, including conducting a risk analysis, implementing security measures suggested by outcome of the risk analysis, adopting a policy to discipline any persons who fail to comply with security policies, and regularly reviewing system activity to identify any security problems;
  • appointing a designated security official;
  • establishing policies to assure that, for each person in the practice who has access to EPHI, his/her access is limited as appropriate to his/her role, and that access is terminated when he/she leaves the practice;
  • adopting procedures to control access to EPHI;
  • conducting security awareness training for all users on security precautions, including appropriate use of passwords;
  • address security incidents (such as unauthorized access or disclosure, or loss of data);
  • establish contingency plans to respond to environmental hazards such as fire or loss of power, or to system failure.  This must include regular maintenance of backup data, adoption of a disaster recovery plan, and adoption of an emergency plan on how to continue operations when access to EPHI is disrupted;
  • periodic technical and nontechnical reevaluation of security procedures; and
  • including written requirements in contracts with business associates obligating the business associate to use reasonable and appropriate safeguards.


Physical safeguards include:

  • appropriate facility access controls, such as locating computers in a secure area and taking precautions against theft of equipment that could contain EPHI;
  • controlling access to and security of workstations; and
  • controlling devices and storage media containing EPHI, including assuring that all EPHI is totally removed from a device before disposal, and maintaining appropriate backup and storage procedures.


Technical safeguards include:

  • controlling access to EPHI through requiring log-in with a unique user ID and password, setting workstations to log-off after a period of inactivity, and establishing procedures for access to EPHI in an emergency;
  • adopting audit controls to examine system activity;
  • authentication of EPHI, and of each person accessing it; and
  • procedures to protect EPHI during transmission, such as encryption.


In its introduction to the Security Standards, HHS noted that the National Institute of Standards and Technology (NIST) has many helpful publications on information system security.  You'll find a link to NIST among our weblinks.
Last Updated ( Sunday, 13 June 2010 13:04 )
 
Joomla 1.5 Templates by Joomlashack