What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) comprises five main parts, Titles 1-5, each addressing different aspects of healthcare in the United States [1]. In essence, it's goal is to ensure that individuals' health information is properly protected while allowing the flow of health information needed to provide modern health care. With regard to the privacy of electronic health information, Title II - the Security Rule, pertains to safeguarding Electronic Protected Health Information (ePHI).
What is ePHI?
Electronic Protected Health Information is personal and medical data that can be used to identify an individual or their health status. Some examples of ePHI include:
Personal Identification
Names
Addresses
Dates related to an individual (birth, treatment, admission, discharge)
Phone numbers
Email addresses
Social Security numbers
Medical record numbers
Health and Treatment Information
Billing and Payment Information
Biometric Identifiers
Images
Who needs to comply with HIPAA Title II - The Security Rule
Those required to comply with the Security Rule are often called 'covered entities,' and they include health plans, healthcare clearinghouses, and healthcare providers who transmit HIPAA transactions (such as claims), as well as any business associates that help in carrying out healthcare activities and functions. [2]
General Rules of HIPAA Title II - The Security Rule
Title II - The Security Rule acknowledges that covered entities vary in business size and is designed to be flexible and scalable, allowing them to analyze their own needs and implement appropriate solutions. Therefore, the Security Rule lays out general requirements to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect ePHI.
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
Confidentiality - ePHI is accessible only by authorized people and processes
Integrity - eHI is not altered or destroyed in an unauthorized manner
Availability - ePHI can be accessed as needed by an authorized person
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by their workforce.
Covered Entities must review and modify their security measures to continue protecting e-PHI in a changing environment.
The Framework
HIPAA TItle II - The Security Rule lays out 3 types of safeguards to protect ePHI: administrative, physical, and technical. There is a detailed guide here which addresses each implementation as required or addressable. Required means the covered entity must implement the policy/procedure. Addressable, doesn't mean optional, it means, the covered entity must assess whether it is a reasonable and appropriate safeguard in the entity's environment. If chosen not to implement, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure. Below is a summary of the required implementations.
Administrative Safeguards
Covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
Covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI.
Covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
Covered entities must back up their data including to an offsite location and have disaster recovery procedures.
Procedures should document instructions for addressing, responding, and reporting security breaches.
Covered entity must have a Business Associate Agreement with any business associate that helps in carrying out healthcare activities and functions.
Physical Safeguards
Technical Safeguards
Organizational Requirements
If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation, the covered entity must take reasonable steps to cure the breach or end the violation.29 Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
This was mentioned already as a required Administrative Safeguard, but covered entity must have a Business Associate Agreement with any business associate that helps in carrying out healthcare activities and functions.
Conclusion
To meet HIPAA standards, protecting electronic Protected Health Information (ePHI) is a vital component under the Security Rule, which requires technical implementation. It's important to note that protecting ePHI is only part of the overall HIPAA standards. Other necessary implementations include the Privacy Rule, which protects all forms of PHI, not just ePHI, and sets standards for safeguarding non-electronic PHI, such as information conveyed verbally or in writing.
Additional Information