The HIPAA security standard is kind of a sub-set or compliment to the HIPAA privacy standard. Where the HIPAA policy privacy requirements apply to all patient Protected Health Information (PHI), HIPAA policy security laws apply more specifically to electronic PHI.
These standards provide guidance for developing and implementing policies and procedures to guard and mitigate compromises to security. The Electronic Protected Health Information (EPHI) provider's use is critical to their business and important to patient care.
The HIPAA policy procedure for security standards define three safeguard compliance categories; administrative, physical, and technical. The following descriptions apply more to smaller practices. The descriptions were taken straight from the HIPAA security policy and procedure, number 7 of the security series white papers. The text in quotes is the actual wording from the HIPAA security standard.
Security Management Process – “Implement policies and procedures to prevent, detect, contain, and correct security violations.”
Workforce Security - “Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.”
Security Awareness and Training - Implement a security awareness and training program for all members of its workforce (including management).”
Contingency Plan - “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”
Business Associate Contracts and Other Arrangements - “A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.”
Facility Access Control - “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”
Workstation Use - “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”
Device and Media Controls - “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”
Access Control - “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).”
Person or Entity Authentication - “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Transmission Security - “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
In summary, compliance with the HIPAA security standard can be demanding even for the small practice. A good idea is to become familiar with these standards and conduct an assessment of the practice (or business if it’s a business associate) systems to identify areas where changes need to be made in to meet the intent of the HIPAA security standard.
Copyright 2017 All-Things-Medical-Billing.com