Question

This chapter introduces the HIPAA security rule, which closely aligns with the security rule. Although the rules complement each other, the security rule governs the privacy of protected health information (PHI) regardless of the medium in which the information resides, whereas the security rule governs PHI that is transmitted by or maintained in some form of electronic media (that is, electronic protected health information, or ePHI). The chapter begins with a discussion of the purposes of the rule, its source of law, scope, and to whom the law applies. The chapter suggests a process for complying with the rule and outlines the five key components of the rule. The chapter also discusses changes to the security rule as a result of the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). It concludes with a discussion of the role of a security officer, how the rule is enforced, and the penalties for noncompliance of the rule.

1. Why is knowledge of the HIPAA security rule important for HIIM professionals?

2. List examples of how an organization can be in compliance with the addressable security standards.

3. What are the essential parts of a successful HIPAA Security Compliance Program?

4. What policies and procedures are necessary for compliance with the HIPAA security rule?

5. Outline the general requirements of the security rule.

Answer 1

1) Individuals in the health information management (HIM) field play a critical role in covered entities approaches to data security, especially HIPAA compliance.HIM professionals are often acquiring, analyzing, and protecting digital and traditional medical information vital to providing quality patient care, according to The American Health Information Management Association (AHIMA). Furthermore, HIM professionals need to understand an organizations workflow, and how the latest applications will potentially come into play.HIPAA rules require that organizations have a privacy officer or a security officer, and HIM professionals tend to be an organizations privacy officer, said Angela Rose, a director of HIM Practice Excellence at AHIMA.They'll be responsible for implementing the whole program, like policy and procedures: writing them, the training of staff, just making sure that the laws and the requirements are met as a whole.Rose added that she has been at AHIMA for nine and a half years, and that it’s exciting times right now in the healthcare industry, in terms of privacy and security.
a.An organization can be in compliance by:i.Having procedures for ensuring that the workforce working with ePHi hasadequate authorization and/or supervisionii.Ensure that there must be a procedure to determine what access us appropriatefor the workforce.iii.Having policies and procedures for granting access to ePHI through aworkstation, transaction, program, or other process.iv.Ensuring that it conducts periodic security updates.
2) An organization can be in compliance by having procedures for ensuring that the workforce working with ePHi has adequate authorization and or supervision.Ensure that there must be a procedure to determine what access us appropriate for the workforce.Having policies and procedures for granting access to ePHi through a workstation,transaction,programm or other process.Ensuring that it conducts periodic security updates.
3) There are three parts to the HIPAA Security Rule technical safeguards, physical safeguards and administrative safeguards and we will address each of these in order in our HIPAA compliance checklist.
4) The Security Rule outlines standards for the integrity and safety of PHI and ePHI that must be in place in any healthcare organization including physical, administrative, and technical safeguards.
5) Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures.The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must: ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.Identify and protect against reasonably anticipated threats to the security or integrity of the information.Protect against reasonably anticipated, impermissible uses or disclosures,and ensure compliance by their workforce.The Security Rule defines confidentiality to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, integrity means that e-PHI is not altered or destroyed in an unauthorized manner. Availability means that e-PHI is accessible and usable on demand by an authorized person.HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources. Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:Its size, complexity, and capabilities.Its technical, hardware, and software infrastructure.The costs of security measures, and the likelihood and possible impact of potential risks to e-PHI.Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.