The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. It provides privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other protected health information (PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

The provisions of the Security Rule apply to electronic protected health information (ePHI). It sets the standards for ensuring that only those who should have access to EPHI will actually have access. The security standards are divided into the categories of administrative, physical, and technical safeguards. Regulatory definitions of the safeguards can be found in the Security Rule at 45 CFR § 164.304.

• Administrative safeguards: In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements. (For more information, see 45 CFR § 164.308 and paper 2 of this series titled “Security Standards – Administrative Safeguards”.)
• Physical safeguards: In general, these are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups. (For more information, see 45 CFR § 164.310 and paper 3 “Security Standards – Physical Safeguards”.)
• Technical safeguards: In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted. (For more information, see 45 CFR § 164.312 and paper 4 “Security Standards – Technical Safeguards”.)

This rule is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This Rule requires HIPAA-covered entities to notify the Secretary of the Department of Health and Human Services about any breach of protected health information within 60 days of its discovery. Affected patients are also sent notifications letters within 60 days of the breach discovery.

Introduced important changes to the HIPAA Privacy Rule, Security Rule and Breach Notification Rule. One important change is the requirement of HIPAA-covered entities business associates and subcontractors to implement ePHI protection as required by HIPAA Security Rule. Non-compliance will result in fines. Another important change is the allowing of covered entities not to report a breach provided they can prove it has no significant harm.

Tools and Resources

FAQ