HIPAA Resource Center
HIPAA Security
Practis Safe Mail - HIPAA Compliant EmailSend encrypted email from any computer with Internet access. Endorsed by the AHA, Practis Safe Mail is a HIPAA compliant tool for easily and securely communicating with patients, healthcare providers, payors and others. Learn more |
Security Standards Final Rule
Even though the security rules will not go into effect until 2005, security issues are interconnected with the Privacy Rule, which is now active. The security rules, which specifically cover only electronic PHI, allow covered entities to scale rules based on their size and technological scope.
The Need for Training for the Handling of ePHITraining in the handling of ePHI is not only essential, but also a requirement of the HIPAA Security Rule. To mitigate liability and to be compliant, all covered entities must provide ongoing training to all personnel who handle ePHI. Learn more |
Documentation is a key part of security rule compliance. The rules make a distinction between addressable and required standards. To ensure compliance, covered entities should have a security management procedure in place with risk analysis and management, sanctions policy, and a review of information systems activity. Source: HIMSS
Security Rule To Do List
Security To Do List - Practical administrative planning & implementation tips for the HIPAA Security Rule.
Email Confidentiality NoticeThis email, including any attachments, may contain confidential information which is intended only for the use of the individual(s) or entity named. If you received this e-mail message in error, please immediately notify the sender by e-mail and delete it. Dissemination, forwarding, printing or copying of this email without the prior consent of the sender is strictly prohibited. |
What are the elements?
Physical Safeguards
- assign security responsibility
- develop physical access controls
- develop policies on workstation use
- secure workstation location
- facility access controls
- device and media controls
Administrative Safeguards
- fully documented policies, procedures and practices that are used by a covered entity to handle protected health information
- security awareness and training
- develop a contingency plan (i.e., backup and disaster recovery, emergency mode operation plan)
- security incident procedures
Network Security
- access control - unique user identification, automatic logoff
- entity authentication - availability of data to only authorized individuals
Data Integrity
- encryption for the transmission of data is an addressable provision
- guard data integrity
- protect the confidentiality of data
System Review
- auditing and reporting
- alarms for unauthorized use
Security ResourcesAddressable vs Required Security Standards Matrix [pdf] - WEDISecurity Audits - AHIMA National Institute of Standards & Technology Security Metrics Guide - pdf Information Security - An Overview AHIMA Security Risk Analysis and Management: An Overview AHIMA Understanding the final rule. HIMSS Briefing, presented by Tom Walsh, CGT Healthcare Solutions. (ppt format). FAQs: HIPAA Security Rule - HHS Authentication technology and enterprisewide policies-in addition to defensive tools-are key. Overview of the HIPAA Security Rule - HIPAAdvisory Disaster Planning for Healthcare Organizations - AHIMA Options for Storage & Disposal of Medical Records Impact on HIPAA Security Rules for Providers - SANS Institute Email Security and Addressing HIPAA Portable Computer Security - AHIMA Translating the Language of Security - AHIMA A Problem-Oriented Approach to the HIPAA Security Standards - American Academy of Family Physicians |
Did You Know?
URAC now provides a HIPAA security accreditation program. Although URAC accreditation is not intended as a guarantee of HIPAA compliance, accreditation will be an indicator of good faith efforts of an effective HIPAA compliance program.
Fax technology is covered by the HIPAA security rule.
Data backup and storage needs to be in a secure location.
Media needs to be appropriately disposed of.
Disaster Recovery - you should have a contingency plan to restore data.
Find out how secure your server is. Is it in a climate controlled, secure area? Prior to access, how are staff identified?
New employee orientation should include training on information systems security.
Continuing system security training should be administered for all system users.
HIPAA Security Articles & White PapersData guard: The next HIPAA mandate
By this time next year, you will be required to
guarantee the security of everything on your
computer, from patient files to e-mail. Experts
offer tips on getting started.
A
Reasonable Approach to Security
Security assessment not only ensures HIPAA compliance, but also, enables
the organization to adequately allocate security resources.
The Need for
Training for the Handling of ePHI
Training in the handling of ePHI is not only essential, but also a requirement of the HIPAA Security Rule. To mitigate liability and to be compliant, all covered entities must provide ongoing training to all personnel who handle
ePHI.
The
Next HIPAA Compliance Hurdle
Another HIPAA compliance date is not as far away as you might think.
HealthLeaders member Patricia King offer some tips for getting security
compliance on your team's list of IT projects this year.
HIPAA's
Final Security Rule
Covered entities will likely need to spend less to implement security to
comply than what was specified in HIPAA's proposed security rule.
Introduction
to the Security Rule
White provided by WEDI
Small
Practice Security Implementation
White paper provided by WEDI discusses HIPAA security
assessment scaled for the small provider.
Email
and Encryption
White paper provided by WEDI discusses email and encryption.