Defined by the Department for Health and Human Services
“The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.”
The Technical Side:
Technology is used today to exchange health information in an electronic environment. The use of this technology will greatly enhance the delivery of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. While the use of this technology will greatly enhance the medical industry in its care for patients, it is imperative that the confidentiality and security of this health information be ensured.
Many organizations have made great strides in working toward meeting the Health Insurance Portability and Accountability Act of 1996 while other have not.
In most cases, the regulations apply to customers that need to demonstrate compliance and are subject to audits.
Comm Solutions is ready to assist you in assessing and making recommendations on how to take steps to bring you closer to being HIPAA complaint by addressing some of the Administrative Safeguards that are required to be met.
Below are a few examples taken from the Administrative Safeguards (Section 164.308) of the Health Insurance Portability and Accountability Act of 1996.
164.308(a)(5)(ii)(B) – PROTECTION FROM MALICIOUS SOFTWARE
HIPAA Text: “[Organization must have] procedures for guarding against, detecting and reporting malicious software.”
164.308(a)(6)(ii) – RESPONSE and REPORTING
“Identify and respond to suspected or known security incidents; mitigate to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.”
164.308(a)(4)(ii)(B)- ACCESS AUTHORIZATION
“Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.”
The full listing of Administrative safeguards can be found here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf