A Discussion of HIPAA Security Safeguards
HIPAA security safeguards are now the most important feature of an organization’s security plan. The National Institute of Security and Protection of Information (NISI) defines the HIPAA as Health Insurance Portability and Accountability Act of 1996. The HIPAA specifies guidelines for protected health information and sets the rules for health information custodians. The guidelines are intended to provide comprehensive protection to an individual’s private health information. HIPAA security safeguards are incorporated into various programs and systems and these systems are used by organizations to guarantee proper handling of patient health information.
HIPAA security safeguards are integrated into various business processes including electronic health record management (EHR), carrier-driven models of software and hardware, and database management. The guidelines of HIPAA state that a covered entity must comply with the Privacy Rule and the Security Rule. A covered entity must also comply with the Rule if the covered entity performs software or hardware conversions or updates to its system that are necessary to operate properly according to HIPAA standards. In addition, a covered entity must comply with implementing a system to track electronic data interchange or transfers to and from electronic medical records and secure data storage devices according to the Security Rule.
The Security Rule states that covered entities are responsible for ensuring appropriate security measures are in place to protect the rights of individuals. According to the rule, a covered entity may not perform security measures that rely on unrealistic assumptions about the level of risk or vulnerability of its system or information. A covered entity must ensure that its technical security safeguards procedures and activities do not violate the Privacy Rule.
Hipaa Security Safeguards
One of the major objectives of HIPAA is to set the standards for how an organization should handle its protected health information. The Security Rule states that covered entities must take “all reasonable steps” to prevent the unauthorized release of protected health information. A covered entity that uses reasonable physical measures to protect the privacy of its patients does so “in an efficient and consistent manner.” In addition, under the Security Rule, if a security risk assessment determines that a security risk exists, a covered entity must take steps to mitigate that risk. Those measures may include the use of EMAIL as an encryption key or password, implementation of physical measures to protect sensitive electronic medical information, and use of EMAIL as a secure storage location for patient records.
Another objective of the HIPAA is to provide protection to individuals who access personal health information. For example, to comply with the Security Rule, a covered entity must take reasonable steps to protect the privacy of a patient’s medical records. Similarly, physical safeguards refers to those measures a covered entity takes to protect sensitive information stored in computer systems. Computer viruses, Trojans, worms, spoofing, and tampering are examples of physical safeguards. Implementation of physical safeguards also depends on whether the information technology infrastructure of the covered entity is designed to comply with the HIPAA guidelines.
The fourth objective of HIPAA is to protect against the abuse of electronic medical records by persons not authorized to access such records. For example, a covered entity that implements EMR integration as one of its technical safeguards refers to “assigning a unique user ID and password for processing and authorized retrieval of patient medical records.” Although a technical safeguard is considered to be a reasonable means of preventing abuse of patient records, it does not address the abuse of information systems.