The Security Rule Of The HIPAA

The acronym HIPAA stands for the Health Insurance Portability and Accountability Act, which Congress voted to enact in 1996. The HIPAA was designed to address several issues related to health insurance coverage and confidentiality of medical data. One of the regulations put in place according to the HIPAA is the Security Rule, which was confirmed in 2003, and had a compliance data of 2005. While the Security Rule is similar to the Privacy Rule in that it was put in place to protect the confidentiality of personal medical records, it differs from the Privacy Rule in that it deals solely with electronic information. The three security areas that fall under the influence of the Security Rule are the administrative, physical, and technical areas.

The Administrative Aspect

Compliance with this part of the Security Rule requires that medical facilities create and follow a standard privacy procedure. A privacy officer must also be designated, who will be responsible for drawing up and enacting this privacy procedure. Under the security procedures, employees allowed access to sensitive electronic health information must be clearly identified. Such access must be limited to employees who require such information in order to properly carry out their job functions. The company must also ensure that any employees obtained through outsourcing come from an external company that also has a privacy procedure and complies with HIPAA regulations. Contingencies for situations such as backup of data and data recovery must be covered, and frequent audits should be conducted and properly documented.

The Physical Aspect

This portion of the Security Rule governs the safety and physical access aspects of the hardware and software used in the processing and storage of medical information. There must be a system in place to permit physical access only to those who are authorized to do so. Maintenance records, security checks, and visitor sign-ins must be carefully monitored and documented for future reference. Any monitor screens that are used to display sensitive medical information must be situated such that unauthorized persons will not be able to view content displayed on the screens. Areas with high human traffic should also be avoided. The disposal of old equipment must be conducted carefully, and care must be taken to ensure that no sensitive information is contained in any of the equipment being disposed of.

The Technical Aspect

This section of the Security Rule is concerned with ensuring that the computer and network systems are secure against external intrusion and that data being transmitted across the network is safe from interception by unauthorized parties. Information transmitted on open networks must be encrypted, and authentication procedures such as user names and passwords must be put in place to prevent unauthorized access. In addition, data should not be changed in any way, and data corroboration will be carried out in order to ensure the integrity of the data.

Medical facilities are required by law to follow the many regulations of the HIPAA Security Rule. All this is done so as to ensure the safety and integrity of any personal medical information stored and processed electronically, and to prevent such information from inadvertently falling into the wrong hands.

Leave a comment | View Comments