Getting Started with HIPAA Security Compliance

This excerpt is from Chapter 13, Getting Started with HIPAA Security Compliance of Healthcare Information Systems, edited by Kevin Beaver and published by Auerbach.

OVERVIEW OF THE HIPAA SECURITY RULE

It's all about best practices

In August 1998, the U.S. Department of Health and Human Services (HHS) published the Security and Electronic Signature Standards; Proposed Rule (Security Rule). The Security Rule covers all healthcare information that is electronically maintained or used in electronic transmissions. It is defined by HHS as a set of requirements with implementation features that providers, plans and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure (1). The Security Rule is merely a set of common best practices that is intended to be comprehensive, technology neutral and scalable for different-sized organizations. It is a high-level information security frame-work that documents what needs to be done to secure healthcare information systems. At the same time, and much to widespread chagrin, the Security Rule is not a set of how-to instructions outlining the exact steps for securing healthcare information systems.

When the Security Rule was originally developed in the late 1990s, there were limited information security standards upon which a comprehensive information security framework for the healthcare industry could be developed. In fact, it is documented in the proposed Security Rule that no single standards development organization (SDO) is addressing all aspects of healthcare information security and confidentiality; and specifically, no SDO is developing standards that cover every category of the security framework (1). Enter the Security Rule. Since 1998, several standards have evolved, such as the ISO/IEC 17799 Information Technology — Code of Practice for Information Security Management, among others. It is not currently known whether the final Security Rule will be based on any well-known standards, but healthcare organizations can benefit from utilizing these standard guidelines nonetheless.

Covered entities

As with the other HIPAA rules, the covered entities that are required to comply with the Security Rule are as follows:

• Healthcare Providers. These include hospitals, clinics, nursing facilities, laboratories, physicians, pharmacies and most other entities that provide healthcare services.
• Health plans. Generally speaking, these are any individual or group plans that provide or pay for medical care. Examples include private and governmental issuers of health insurance, HMOs, PPOs, Medicare and Medicaid programs, and certain employer-sponsored health plans.
• Healthcare clearinghouses. These include entities that process or facilitate the processing of nonstandard data elements of health information into a standard format for electronic transactions.
• Business associates. A person or organization that performs, on behalf of a covered entity, an activity involving the use or disclosure of individually identifiable health information. Examples include financial advisors, accountants, auditors, lawyers and consultants.

The list above basically boils down to any entity involved in accessing, electronically transmitting, or storing individually identifiable health information.

> Read the rest of Chapter 13, Getting Started with HIPAA Security Compliance.

• Ask the Expert: Ask Kevin Beaver your HIPAA compliance questions
• News & Analysis: Nailing down the basics on HIPAA
• Scheier's Security Prodcut Roundup: Tools alone aren't enough for HIPAA compliance