Tip

Getting Started with HIPAA Security Compliance

Edited by Kevin Beaver; Published by Auerbach

This excerpt is from Chapter 13, Getting Started with HIPAA Security Compliance of Healthcare

    Requires Free Membership to View

Information Systems, edited by Kevin Beaver and published by Auerbach.


OVERVIEW OF THE HIPAA SECURITY RULE

It's all about best practices

In August 1998, the U.S. Department of Health and Human Services (HHS) published the Security and Electronic Signature Standards; Proposed Rule (Security Rule). The Security Rule covers all healthcare information that is electronically maintained or used in electronic transmissions. It is defined by HHS as a set of requirements with implementation features that providers, plans and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure (1). The Security Rule is merely a set of common best practices that is intended to be comprehensive, technology neutral and scalable for different-sized organizations. It is a high-level information security frame-work that documents what needs to be done to secure healthcare information systems. At the same time, and much to widespread chagrin, the Security Rule is not a set of how-to instructions outlining the exact steps for securing healthcare information systems.

When the Security Rule was originally developed in the late 1990s, there were limited information security standards upon which a comprehensive information security framework for the healthcare industry could be developed. In fact, it is documented in the proposed Security Rule that no single standards development organization (SDO) is addressing all aspects of healthcare information security and confidentiality; and specifically, no SDO is developing standards that cover every category of the security framework (1). Enter the Security Rule. Since 1998, several standards have evolved, such as the ISO/IEC 17799 Information Technology — Code of Practice for Information Security Management, among others. It is not currently known whether the final Security Rule will be based on any well-known standards, but healthcare organizations can benefit from utilizing these standard guidelines nonetheless.

Covered entities

As with the other HIPAA rules, the covered entities that are required to comply with the Security Rule are as follows:

  • Healthcare Providers. These include hospitals, clinics, nursing facilities, laboratories, physicians, pharmacies and most other entities that provide healthcare services.
  • Health plans. Generally speaking, these are any individual or group plans that provide or pay for medical care. Examples include private and governmental issuers of health insurance, HMOs, PPOs, Medicare and Medicaid programs, and certain employer-sponsored health plans.
  • Healthcare clearinghouses. These include entities that process or facilitate the processing of nonstandard data elements of health information into a standard format for electronic transactions.
  • Business associates. A person or organization that performs, on behalf of a covered entity, an activity involving the use or disclosure of individually identifiable health information. Examples include financial advisors, accountants, auditors, lawyers and consultants.

The list above basically boils down to any entity involved in accessing, electronically transmitting, or storing individually identifiable health information.

> Read the rest of Chapter 13, Getting Started with HIPAA Security Compliance.


For more information, visit these resources:

This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.