What is HIPAA?

Security Standards

Overview:
There is often confusion about the difference between privacy, confidentiality and security. In the context of HIPAA, privacy determines who should have access, what constitutes the patient' s rights to confidentiality, and what constitutes inappropriate access to health records. Confidentiality establishes how the records (or the systems that hold those records) should be protected from inappropriate access. Security is the means by which you ensure privacy and confidentiality.

Background:
One of the provisions of HIPAA calls for electronic data interchange (EDI) transaction standards. The logic behind the set of requirements was that it would facilitate the computer-computer exchange of information throughout the care delivery system. Making these transactions easier, however, may increase the risk of inappropriate access to sensitive information. Consequently HIPAA also calls for security standards.

Goal:
The new security standards were designed to protect all electronic health information from improper access or alteration, and to protect against loss of records. Health plans, health care clearing houses, and health care providers would use the security standards to develop and maintain the security of all electronic individual health information. The Security and Electronic Signature Standards have set the minimum level or Floor of security for individually identifiable health information maintained in or transmitted by health care organizations. The electronic signature standard is applicable only with respect to use with the specific transactions defined in the Health Insurance Portability and Accountability Act of 1996, and when it has been determined that an electronic signature must be used.

Specifics:
The proposed regulation on Security standards has categorized the requirements into six categories: administrative procedures; physical safeguards; security configuration management; technical security services, technical mechanisms, and electronic signatures. Although the requirements in these categories overlap, they are intended to help organizations understand the different types of requirements needed for a comprehensive security approach.

Administrative Procedures:

  • Certification
  • Chain of trust Partner Agreements
  • Contingency Plan
  • Formal Mechanism for Processing Records
  • Information Access Control
  • Internal Audit
  • Personnel Security

Physical Safeguards:

  • Assigned Security Responsibility
  • Media Controls
  • Physical Access controls
  • Policy / Guidelines on Workstation Use
  • Secure Workstation Location
  • Security Awareness Training
Security Configuration Management:
  • Security Incident Procedures
  • Security Management Process
  • Termination Procedures
  • Training
Technical Security Services:
  • Access Controls
  • Audit Controls
  • Authorization Controls
  • Data Authentication
  • Entity Authentication
Technical Security Mechanism:
  • Communication/Networking Controls
  • Network Controls
Electronic Signature:
  • Digital Signature
Each health care organization is also required to designate someone as having the responsibility of ensuring that the company complies with the minimal level of security as outlined in the regulations.

Impact:
Whether your organization's current security infrastructure meets the minimum security standards or not, every organization covered by the standards will need to have the ability to demonstrate that effective management, operational, and technical controls are in place and that they comply with the minimum level.

Benefits:
This will ensure the confidentiality of individually identifiable health care data.

[Prev] [Top] [Next]