Written by Daniel Chung
The electronic age has taken over healthcare. Viewing patient information on clipboards with manila folders are now being seen behind a screen, partly thanks to the American Recovery and Reinvestment Act of 2009 (ARRA), specifically the Health Information Technology for Economic and Clinical Health Act (HITECH) pushing for the conversion of patient health information (PHI) to electronic records by this year (2014).
Unfortunately, the accelerated transition into digital technology brought forth concerns for protecting electronic patient health information (ePHI). In order to mitigate the data security risks associated with ePHI, the Health Insurance Portability and Accountability Act (HIPAA) helps enforce a set of compliance rules and regulations for healthcare providers. Yet, despite these regulations, healthcare providers are having issues preventing HIPAA violations which can affect the overall quality of patient care.
Read: HIPAA explained by U.S. Department of Health & Human Services
Security Rule and the Privacy Rule
The HIPAA compliance rule is comprised of two main rules: The Security Rule and the Privacy Rule. The two rules go hand in hand in protecting PHI but have their distinct differences. The Privacy rule focuses more on the individual’s right to use their personal information and covers the confidentiality of PHI whereas the Security rule is focused on the three separate safeguards for protecting ePHI and is based on the fundamental concepts of flexibility, scalability, and technology neutrality. So, in regards to the advancement of medical technology, in order to setup a secure environment for healthcare providers when handling ePHI, the Security rule aims to regulate data protection procedures by using administrative, physical, and technical safeguards.
Read: More information on the Security Rule
Read: More information on the Privacy Rule
The Three Safeguards of the Security Rule
“…administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The Administrative safeguards cover over half of the HIPAA Security requirements and are focused on execution of security practices for protecting ePHI. The Administrative safeguards implement policies that aim to prevent, detect, contain, as well as correct security violations and can be seen as the groundwork of the HIPAA Security rule. By laying down a solid security foundation in regards to security management processes, assignment of responsibility, enforcement of workforce security, information access, training, as well as plans and protocol in the event where a breach does occur, the covered entity can be better prepared, thus reducing the impact or preventing breaches altogether.
Read: Administrative Safeguards for HIPAA from HHS
“…physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Physical safeguards are the implementation standards to physical access to information systems, equipment and facilities which can be in reference to access to such systems in and out of the actual building, such as the physician’s home. The physical safeguard covers facility access to information systems and equipment, workstation use and security, and management of certain media devices that may contain ePHI. Physical safeguards are in place to work with the Administrative and Technical safeguards so that the covered entity can place specific procedures in place to protect electronic information systems, building facilities, and equipment.
Read: Physical Safeguards for HIPAA from HHS
“…the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” One of the fundamental concepts of the HIPAA security rule is technology neutrality, meaning that there are not specific technologies that must be adopted. It is up to the covered entity to adopt security technology that is reasonable and appropriate for their specific situation. The Technical safeguards cover access control, auditing controls, maintaining information integrity, entity authentication and security during transmission of ePHI. The Technology safeguards apply to all ePHI and are in place to protect and control access to ePHI while simultaneously allowing flexibility for covered entities to select technology that is best suited for their situation since healthcare providers come in all different shapes and sizes.
Read: Technical Safeguards for HIPAA from HHS
The Double-edged Sword
The HIPAA Security Rule is in place in order to protect patient information from the inherent security risks of the digital world. New technology may allow for better efficiency which can lead to better care for patients but it is a double-edged sword. Though HIPAA was put in place to protect patient information and create a solid foundation for a secure environment, the regulations are often difficult to follow which can end up costing the covered entity. The covered entity must find help in being HIPAA compliant and limiting breaches by assessing their own security needs, receiving security consultation, and finding appropriate technology.
Blogs relating to HIPAA
Ways to Prevent HIPAA Data Breach by Insiders
Insiders: the Most Frequent Reason for HIPAA Data Breach
The Costs of Data Breaches and Violation against HIPAA
The Primary Threats to Data Breaches of Protected Healthcare Information(PHI)