Any company that deals with patient health records or provides services to companies that work with patient health information must ensure that all of the required physical, network and process security measures are in place and followed according to the HIPAA Service Privacy and HIPAA Security Rules. The Security Rule requires Covered Entities to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting e-PHI. Specifically, Covered Entities must:
• Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit;
• Identify and protect against reasonably anticipated threats to the security or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or disclosures; and
• Ensure compliance by their workforce
The HIPAA Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the HIPAA Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security Rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. “Integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on-demand by an authorized person.
HIPAA COMPLIANCE: ADMINISTRATIVE SAFEGUARDS
• Security Management Process. Identify and analyze potential risks to e-PHI, and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
• Security Personnel. Designate a security official who is responsible for developing and implementing its security policies and procedures.
• Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a Covered Entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).
• Workforce Training and Management. Provide for appropriate authorization and supervision of workforce members who work with e-PHI and train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
• Evaluation. Perform a periodic assessment of how well security policies and procedures meet the requirements of the Security Rule.
HIPAA COMPLIANCE: PHYSICAL SAFEGUARDS
• Facility Access and Control. Limit physical access to its facilities while ensuring that authorized access is allowed.
• Workstation and Device Security. Implement policies and procedures to specify proper use of and access to workstations and electronic media. A Covered Entity also must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
HIPAA COMPLIANCE: TECHNICAL SAFEGUARDS
• Access Control. Implement technical policies and procedures that allow only authorized persons to access e-PHI.
• Audit Controls. Implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
• Integrity Controls. Implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
• Transmission Security. Implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.