This series of posts will look at key aspects of the HIPAA Security Rule. Now that the HITECH Act has put the HIPAA Privacy and Security Rules once again front and center, a much larger number of organizational stakeholders will need to become better acquainted with their basic tenets.
From a healthcare business perspective, a better understanding of the rules is mission critical since compliance with the rules is now an integral part of HHS' meaningful use definition. In other words, non-compliance means that a provider or facility may not get paid their EHR incentives.
Whereas the HIPAA Privacy Rule ("PR") deals with protected health information ("PHI") in general, the HIPAA Security Rule ("SR") deals with electronic PHI (ePHI), which is essentially a subset of what the PR encompasses. In terms of actual regulatory text the SR only spans approximately eight (8) pages, which is the good news. The bad news is the SR is highly technical in nature. For all intents and purposes this rule is the codification of certain information technology standards and best practices.
Broadly speaking, the SR requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the PR. That said, creating the necessary SR documentation will likely prove significantly more "vexing" than its PR counterpart, especially for small providers.
The SR has been in effect since April 20, 2005. However, because the majority of providers and facilities have not yet made the move to electronic health records (EHRs), it has largely been ignored. The Obama administration's push for EHRs, under the HITECH Act, has set in motion a regulatory freight train that most in the healthcare industry are more or less oblivious to, although the word is slowly starting to get out.
This series of post is intended to provide insights into the SR that will allow a provider or facility to acquire a fundamental understanding of the compliance requirements contained within rule; where appropriate, additional reference information will be linked to that most readers should find quite useful. The HIPAA Privacy Rule will be dissected in a separate series of posts.
Part 2 of this series can be found here.
Looking for a best of breed HIPAA Compliance Software?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
