- Kay L. Bowman
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the security, privacy and electronic exchange of health information. Together these are recognized as the Administrative Simplification provisions. (Health Information Privacy, n.d.)
A major objective of the Privacy Rule is to declare that individuals’ health information is properly protected while permitting the course of health information sought to safeguard the public’s health and well-being and to provide and support high quality health care. (AARP Real Possibilities, n.d.)The Rule attains a balance that allows for use of important information, while shielding people’s privacy who pursue medical or dental care. Organizational actions, policies, and procedures to conduct the development, selection, maintenance and implementation of security procedures to safeguard Protected Health Information (PHI) and to manage the behavior of the covered entity’s personnel in correlation to the protection of that information.
The Importance of HIPAA: Keeping Health Information Private
To protect the dependability, privacy and obtainability of electronic health data, HIPAA recommends several requirements that should be integrated in the final health care security standard. A security standard is individually identifiable information that is held (created or received) or disclosed by a covered entity that can be communicated electronically, verbally, or in written (paper) formats is protected. Information that contains communicates to the past, present, or future mental or physical condition of an individual; provisions of healthcare to an individual; or payment of care provided to an individual is transmitted or maintained in any form (electronic, paper, or oral representation) which identifies or can be used to identify the individual is protected. (kgriffin62, n.d.)
When disclosing Protected Health Information – a covered entity must use of disclose only the minimum necessary PHI required to accomplish the purpose of use of disclosure. Exceptions to minimum necessary include the following reasons are treatment, purposes for which an authorization is signed and disclosures required by law.
There are also rules for access including but not limited to:
- Availability to computer systems and information is based on work duties and responsibilities
- Availability privileges are limited to only the minimum necessary information you need to do your work
- Availability to an information system does not automatically mean that you are authorized to view or use all the data in that system
- Diverse levels of availability for personnel to PHI is intentional
- If job duties changes, clearance levels for access to PHI is re-evaluated
- Availability is eliminated if employee is terminated or on leave
- Availability to ePHI is granted only to authorize individuals with a “need to know.”
- Computer equipment should only be used for approved purposes in the pursuit of completing your specific duties.
- Installation of software without prior written approval is prohibited.
- Disclosure of ePHI via electronic means is strictly forbidden without appropriate written authorization. (Chapter 9: Security & Privacy of Data in Healthcare-HIPAA Security Rules, n.d.)
The bottom line is assurances that systems and applications provide suitable confidentiality, integrity, obtainability and operate effectively. As well as, protect information proportionate with the level of risk and scale of harm resulting from loss, misuse, modification, or unauthorized access.
HIPAA has guidelines that pertain to computer equipment used to participate in any action that is in violation of the companies’ policies and procedures or is illegal under local, state, federal, or international law. To protect the agency as well as the individual agencies will monitor logon attempts to the network. All agencies software and computer systems are available for audit. The agencies network access will be monitored with audit logging software. All ePHI accessed remotely or stored must be retained under the same security procedures as for data accessed within the agencies network physical walls. This applies to home equipment Internet based storage (Cloud) and home equipment of data. All ePHI access from off-site location should be kept in such a technique as to be inaccessible from view. A structure must be in place to guarantee recovery from any damage to data or computer equipment within a realistic time period constructed on the criticality of purpose. Each department must govern and document data sensitivity, criticality, and vulnerabilities. Each department must formulate and document a backup, business continuity, and disaster recovery plan.
Physical Safeguards – “the security measures to protect a covered entity’s electronic health information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.” (HIPAA Security Series, 2007) Storage of backup data must be located in an off-site location. Backup data must be safeguarded with the same strength of security as the original data. Electronic assets must be protected from theft and physical damage. “All electronic devices containing ePHI should be secured behind locked doors when applicable. All applicable agencies electronic media containing ePHI should be marked as confidential. Special security consideration should be given to portable devices (tablets, laptops, smart phones, digital cameras, digital camcorders, external hard drives, CDs, DVDs, USB “drives,” and memory cards) to protect against damage and theft.” (Zikos, n.d.) Private Health Information must never be kept on mobile computing equipment or storage medium unless the following minimum constraints are met:
- Power-on or boot passwords
- Auto logoff or password protected screen savers
- Encryption of stored data by adequate encryption software approved by the HIPAA Trained Security Officer.
File Servers and all other types of mass storage devices must be located in access-controlled areas to avert damage, theft, and admittance to unauthorized personnel. This area must provide applicable levels of protection against water, fire and other environmental exposures such as flooding and tornados. Add-ons to or changes of the agencies network is strictly forbidden. This includes: physical connections via fiber optic or wired means, wireless connections, or configuration variations. Wireless network communications require proper encryption technology and security protocols.
Report security incidents to the HIPAA security officer an incidents includes: theft or damage to equipment, unauthorized use of a password/ system, violation of standards or policy, computer hacking attempts, malicious software, and security weaknesses. Good security Standards follow the 90/10 rule: 10% of security safeguards are technical and 90% of security safeguards rely on the computer users to adhere to good information and computing practices.
AARP Real Possibilities. (n.d.). Retrieved from www.cms.gov: http://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/Medicare-Provider-Charge-Data/Downloads/PublicComments.pdf
Chapter 9: Security & Privacy of Data in Healthcare-HIPAA Security Rules. (n.d.). Retrieved from 9.1.1 What is Personal Protected Health Information (PHI): http://ranger.uta.edu/~zikos/courses/5339-4392_content_repository/week5/WEEK5-Notes.pdf
HIPAA Security Series. (2007, 3). Retrieved from Security Standards: Physical Safeguards: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
kgriffin62. (n.d.). HIPAA. Retrieved from What Patient Informaiton Must We Protect?: http://www.slideshare.net/kgriffin62/hippa-10667892
Zikos, D. D. (n.d.). CSE 5339-4392 Introduction to Data Issues for Clinical and Administrative Decision Making in Healthcare. Retrieved from Security and Privacy of Data in Healthcare – the CIA triad and HIPAA Security Rules: http://ranger.uta.edu/~zikos/courses/5339-4392_content_repository/presentations/WEEK5THEORY9-Security of Data in Healthcare-the CIA triad and HIPAA.pdf
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: