In this day and age of rampant cybercrime, protecting a patient’s electronic health information is of the utmost importance. But, how do you know if the protections are adequate? Well, that’s where the HIPAA Security Rule comes in.
What is the difference between the privacy and security of health information?
With respect to health information, privacy is defined as the right of an individual to keep his/her individual health information from being disclosed. This is typically achieved through policy and procedure. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed to a third party. The HIPAA privacy Rule applies to all protected health information.
Security is defined as the mechanism in place to protect the privacy of health information. This includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls within a covered entity. Since so much PHI is now stored and/or transmitted by computer systems, the HIPAA Security Rule was created to specifically address electronic protected health information
Now, the HIPAA Security Rule isn’t extensive regarding the regulatory text. However, it is quite technical. It is the codification of specific information and technological best practices and standards.
The HIPAA Security Rule mainly requires the implementation of three key safeguards, that is, technical, physical, and administrative. Other than that, it demands certain organizational requirements and the documentation of processes, as it is with the HIPAA Privacy Rule.
Developing the necessary documentation for the HIPAA Security Rule can be complex, compared to the requirements of the HIPAA Privacy Rule. Healthcare providers, especially smaller ones, need to be given access to HIT (Health Information Technology) resources for this purpose.
Having said that, the HIPAA Security Rule is designed to be flexible, which means covering all the required aspects of security shouldn’t be tough. There is no need for leveraging specific procedures or technologies. Organizations are allowed to determine the kind of resources necessary for ensuring compliance.
Read the rest of this post »