HIPAA Administrative, Physical, and Technical Safeguards

HIPAA Administrative, Physical, and Technical Safeguards

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules protect health information’s privacy and security and provide individuals with certain rights to their health information. The HIPAA Privacy Rule sets standards in order to protect PHI retained by such organizations and their business partners, health plans, clearinghouses for health care, and health care providers that perform such electronic medical transactions. The Privacy Rule grants individuals’ fundamental rights to their safeguarded PHIs, including the right to access and obtain copies of health records as required and to request correction of data. The Privacy rule also provides for the use and disclosure of information required for patient care and other essential purposes. The HIPAA security rule describes safeguards to ensure ePHI privacy, fairness and accessibility for covered entities and their business partners. (Moore & Frye, 2019)

According to The U.S. Department of Health and Human Services (HHS), “actions, policies, and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information” are known as administrative safeguards. (HHS, 2019) Administrative safeguards have been developed to help lay the groundwork for the security program of the covered entity and secure protected electronic health information. Security management system is the first standard under administration; an agency covered must enforce policies and procedures to avoid, identify, locate, and correct breaches of security. Next is the assigned responsibility for security; this standard requires the appointment of a security officer who is responsible for policy and procedures development and implementation. Workforce security; a covered entity should enforce policies and procedures under this standard to ensure that all staff members have sufficient access to ePHI, as well as to prevent access to it by those staff members who have no permission. Management of Information Access; this standard relates to the application of ePHI access authorization policies and procedures. Security awareness and training; for all members of its staff, including doctors and administrators, a covered entity must have a security awareness and training program under this standard. Security incident procedures are covered entities that need policies and procedures in place to address security incidents. The aim of the contingency plan standard is to set up policies and procedures for covered entities to respond to emergencies or other incidents (fire, damage, natural disasters, etc.) that may affect ePHI-containing systems. In response to environmental and organizational changes affecting ePHI safety, the evaluation standard requires covered entities to perform periodic technical and non-technical assessments. The final standard, Business Associate Contracts and Other Arrangements is linked to a covered entity’s relationship with the vendors it uses. It notes that the entity covered may authorize a business partner to establish, obtain, retain or transfer ePHI on behalf of the covered entity only if the covered entity receives the appropriate assurances. (Shay, 2017)

Close attention to physical safeguards is one of the most neglected aspects of health IT safety. Physical safeguards consist of security controls, policies and procedures to protect the electronic information systems and associated buildings and facilities of the agency concerned from natural and environmental hazards and unwanted interference. (HHS, 2019) The first standard under the physical safeguards is facility access control. This means, when it comes to physical access to their services, providers must serve as gatekeepers to ensure that only approved users can access sensitive information. An electronic computing device, such as a laptop or a desktop or any other equipment that performs similar functions and the electronic media stored in their immediate environment is classified as a workstation in the workstation use and security standard. The final standard is device and media controls, which is defined as policies and practices regulating the reception and disposal in and out of a facility and the transfer within an institution of hardware or electronic media that contain electronically protected health information. To providers, it is necessary to review the rules and regulations since they are not as comprehensive as technical safeguards like encryption and even administrative protections in the event of data breaches. (Shay, 2017)

Although no health organization can guarantee that a breach of information never occurs, it can go a long way to reducing the likelihood of a security issue by introducing technological safeguards. Technical safeguards are, according to the HIPAA Security Rule, the technology, policies and procedures for its use that protect and control access to electronic protected health information. (HHS, 2019) Basically, any security measures should be used by a covered entity to allow it to enforce the required protection standards fairly and adequately. The first and foremost standard is security of transmission also known as encryption, which transforms data into code. When it comes to encryption, you want the highest number, because the higher the rate, the greater the protection. Secondly is authentication which tests whether people are who they say they are when seeking access to e-PHI. Next is access control, ensuring that a person other than an official, specially identified user has not unauthorized access to the devices. Audit control produces an audit trail through the processes of hardware, code and/or procedures. Finally, the integrity standard guarantees that there is no unauthorized alteration of electronically transmitted e-PHI without detection before e-PHI is disposed of. In a comprehensive software package, each regulation can be met individually or through cost-effective solutions that meet all technical safeguards. (Shay, 2017)

It is important for the long-term success of covered entities to achieve and maintain compliance with the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA. While data breach rates increase and the extent of their potential impact, so does the need to make HIPAA enforcement a pillar of the risk management strategy for patient data protection. Software infringements or other violations of HIPAA security rules can lead to remediation, financial penalty, reputational damage and patent reassurance loss. Each of these consequences of failure to comply can have a profound impact on a company or business partner’s future success. As such, a robust risk management approach for patient data protection is essential for recognizing and mitigating the chance of non-compliance. (Soni, 2018)

References

• Moore, W., & Frye, S. A. (2019). A Review of the HIPAA, Part 1: History, PHI, and Privacy and Security Rules. Journal of nuclear medicine technology, jnmt-119.
• U.S. Department of Health and Human Services, & Public Affairs. (2019). Safeguards. Retrieved from https://www.hhs.gov/hipaa/for-professionals/faq/safeguards/index.html.
• Shay, D. F. (2017). The HIPAA Security Rule: Are You in Compliance?. Family practice management, 24(2), 5-9.
• Soni, P. (2018). Implications of HIPAA and Subsequent Regulations on Information
• Technology. In Information Technology Risk Management and Compliance in Modern
• Organizations (pp. 71-98). IGI Global.