Health Insurance Portability and Accountability Act — HIPAA
The national US standard covering multiple areas related to the handling and protection of sensitive data by the healthcare industry, healthcare insurers, and others who handle healthcare-related information.
HIPAA Compliance Overview
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard that every Covered Entity and Business Associate that has access to protected health information (PHI) must ensure the technical, physical, and administrative safeguards are in place and adhered to.
Technical Safeguards apply to the technology that is used to protect PHI and provide access to data. The only stipulation of technical safeguards is that ePHI (electronic PHI) must be encrypted to NIST standards so that when it travels beyond an organization’s firewall in order to render any patient data unreadable, indecipherable, and unusable should a breach occur.
More information on technical safeguards can be found here: https://www.hhs.gov/hipaa/for-professionals/faq/technical-safeguards/index.html
Physical Safeguards govern physical access to ePHI regardless of its location. They also stipulate how mobile devices and workstations should be secured against unauthorized access.
More information on physical safeguards can be found here: https://www.hhs.gov/hipaa/for-professionals/faq/2012/what-does-the-security-rule-mean-by-physical-safeguards/index.html
Administrative Safeguards pertain to the administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and manage the conduct of the workforce in relation to the protection of said information.
More information on physical safeguards can be found here: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es
These safeguards fall under the Security Rule.
The Security Rule lays out the standards that must be applied in order to safeguard and protect electronically created, accessed, processed, or stored ePHI in transit and at rest.
More information on the security rule can be found here:
The Privacy Rule establishes national standards for the protection of individual medical records and other PHI. Under HIPAA, this rule also applies to health plans, healthcare clearinghouses and health care providers that conduct certain transactions electronically. The specific requirements for covered entities include:
- They must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
- They must identify and protect against reasonably anticipated threats to the security or integrity of the information;
- They must protect against reasonably anticipated, impermissible uses or disclosures; and
- They must ensure compliance by their workforce (45 C.F.R. § 164.306(a).)
More information on the Privacy Rule can be found here: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html