This excerpt is from Chapter 13, Getting Started with HIPAA Security Compliance of Healthcare Information Systems, edited by Kevin Beaver and published by Auerbach.
OVERVIEW OF THE HIPAA SECURITY RULE
It's all about best practices
In August 1998, the U.S. Department of Health and Human Services (HHS)
published the Security and Electronic Signature Standards; Proposed Rule
(Security Rule). The Security Rule covers all healthcare information that is
electronically maintained or used in electronic transmissions. It is defined
by HHS as a set of requirements with implementation features that providers,
plans and clearinghouses must include in their operations to assure
that electronic health information pertaining to an individual remains secure (1). The Security Rule is merely a set of common best practices that is intended to be comprehensive, technology neutral and scalable for
different-sized organizations. It is a high-level information security frame-work that documents what needs to be done to secure healthcare information
systems. At the same time, and much to widespread chagrin, the
Security Rule is not a set of how-to instructions outlining the exact steps
for securing healthcare information systems.
When the Security Rule was originally developed in the late 1990s, there
were limited information security standards upon which a comprehensive
information security framework for the healthcare industry could be developed.
In fact, it is documented in the proposed Security Rule that no single standards development organization (SDO) is addressing all aspects of healthcare information security and confidentiality; and specifically,
no SDO is developing standards that cover every category of the
security framework (1). Enter the Security Rule. Since 1998, several standards
have evolved, such as the ISO/IEC 17799 Information Technology —
Code of Practice for Information Security Management, among others. It is not currently known whether the final Security Rule will be based on any
well-known standards, but healthcare organizations can benefit from utilizing
these standard guidelines nonetheless.
Covered entities
As with the other HIPAA rules, the covered entities that are required to
comply with the Security Rule are as follows:
- Healthcare Providers. These include hospitals, clinics, nursing facilities, laboratories, physicians, pharmacies and most other entities
that provide healthcare services.
- Health plans. Generally speaking, these are any individual or group
plans that provide or pay for medical care. Examples include private
and governmental issuers of health insurance, HMOs, PPOs, Medicare
and Medicaid programs, and certain employer-sponsored health plans.
- Healthcare clearinghouses. These include entities that process or facilitate the processing of nonstandard data elements of health information
into a standard format for electronic transactions.
- Business associates. A person or organization that performs, on behalf of a covered entity, an activity involving the use or disclosure of individually identifiable health information. Examples include financial advisors, accountants, auditors, lawyers and consultants.
The list above basically boils down to any entity involved in accessing, electronically transmitting, or storing individually identifiable health information.
> Read the rest of Chapter 13, Getting Started with HIPAA Security Compliance.
For more information, visit these resources:
