Today, healthcare providers are reliant on electronic devices and information that allows smooth and efficient operation of their healthcare services. They use clinical applications such as CPOE (computerized physician order entry), EHR (electronic health records), radiology, pharmacy, and laboratory systems. However, while this allows physicians to check patient records and test results easily, the dependency on such technologies paves the way for potential security risks that can compromise private and personal health information.
What measures and rules are in place to safeguard health information stored and transferred electronically?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, allowed regulations to be set to protect the privacy and security of certain health information. To do this, the HHS (The U.S. Department of Health and Human Services) set in place the HIPAA Privacy Rule and HIPAA Security Rule.
Prior to these regulations, there were no set security standards to protect health information.
What is the Privacy Rule and what is the Security Rule?
The Privacy Rule sets the standards to protect certain information and the Security Rule puts into action the protections set forth in the Privacy Rule by detailing both the non-technical and technical safeguards that organizations (“covered entities”) must put in place to secure “electronic protected health information” (e-PHI). While the Privacy Rule protects the privacy of individually identifiable health information, the Security Rule protects a subset of the information, which is the mentioned e-PHI. The government unit responsible for making sure that HIPAA’s Privacy and Security Rule are enforced is the Office of Civil Rights.
The main purpose of the Security Rule is to protect the privacy of individual’s health information while allowing organizations to adopt innovative technologies to improve the quality and efficiency of patient care. It is designed to be flexible and scalable so that an organization of any size, structure, and risks to consumers’ e-PHI can implement their own appropriate policies, procedures, and technologies.
The general rules of the Security Rule are as follows:
- The Security Rule applies to health plans, health care clearinghouses, and to any healthcare provider who handles electronic health information in connection with a transaction that the HHS has established standards under HIPAA and to their business associates.
- To protect e-PHI, the Security Rule requires the covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards. Thus, the covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
- The Rule does not dictate specific measures but requires the covered entity to consider:
- Its size, complexity, and capabilities
- Its technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and the possible impact of potential risks to e-PHI.
- The Security Rule includes Administrative Safeguards provisions that require covered entities to perform risk analysis. Risk analysis includes:
- Evaluate the likelihood and impact of potential risks to e-PHI
- Implement appropriate security measures to address the risks identified in the risk analysis;
- Document the chosen security measures and, where required, the rationale for adopting those measures;10 and
- Maintain continuous, reasonable, and appropriate security protections.
And with a changing environment, covered entities must review and modify their security measures to continue protecting e-PHI.
What if federal law conflicts with state law?
In general, if the state laws conflict with the HIPAA regulations, the federal regulations apply.
With so much personal health information managed electronically, HIPAA regulatory requirements are trying to keep up to protect private information. Allowing flexibility of what is considered appropriate, administrative, technical, and physical safeguards allow the rule to cover all kinds of organizational setups and situations. It is important that healthcare organizations update their policies and measures appropriate for themselves to work in a trusted, efficient working environment.
Contacting LIFARS is Your Next (First?) Step for Handling Cyber Incidents.