HIPAA Privacy Rule
The privacy rule focuses on keeping patient data private and only permits the sharing of patient data with the patient and authorized representatives, unless the correct consent is given. This applies to any organization that transmits medical records electronically, including healthcare providers, healthcare payers, healthcare clearinghouses and more. The rule aims to allow protected healthcare information to be accessible, in order to provide the best possible care, whilst also protecting the patient from cybersecurity threats.
Protected health information covers any data where an individual can be identified. This includes many common identifiers such as name, address, social security number and date of birth.
HIPAA security Rule
The HIPAA security rule is a set of standards that organizations must apply when they have access to protected healthcare information. This applies to anyone who has the ability to read, write, modify, or communicate electronically stored protected patient data.
The security rule has three parts: technical safeguards, physical safeguards and administrative safeguards. Each of these are detailed below:
The technical safeguards refer to the technology that organizations use to protect electronic healthcare information.
These three technical safeguards are required by all healthcare organizations that have access to patient data.
- Access control
- Audit logs
- Audit controls
There are also a set of addressable technical safeguards which organizations must decide if they are applicable to their company. If they decide these aren’t applicable and don’t need to be addressed, then they must document clearly why these aren’t needed. This documentation is required for HIPAA compliance.
The addressable technology safeguards are:
- Tools for encryption and decryption
- Automatic log-off functions
- A method to authenticate electronic health data
The physical safeguards are in place to provide security for the physical location of the patient data, whether this is stored in a cloud-based system or on a physical server. This aspect of the law also protects devices where patient data can be accessed from. This includes mobile and desktop devices.
Here are the physical safeguards that each healthcare organization is required to comply with:
- Policies and procedures for mobile devices
- Policies for the use and positioning of workstation
There are also several addressable safeguards that organizations need to consider:
- Facility access controls
- Inventory of hardware
Administrative safeguards bring together the physical and technological safeguards. They require a security officer and a privacy officer to meet the outlined requirements by conducting regular reviews, assessments, and training.
Here is a list of the required administrative safeguards:
- Risk assessments
- Risk management policy
- Developing a contingency plan
- Restricting third party access
As with the other safeguards there are also some addressable administrative safeguards. These are:
- Employee training
- Contingency plan testing
- Reporting security incidents
Complying with HIPAA
Complying with HIPAA is not a simple process. There are many different areas of cyber security that need to be considered. Identity and access management systems are a must-have for healthcare organizations to comply with the technical safeguard requirements as part of the HIPAA security rule. At Atos we provide comprehensive identity and access management solutions to help healthcare organizations comply with this rule. For more information you can read our whitepaper on maintaining HIPAA compliance with identity and access management solutions.
In addition to identity and access management, at Atos we can help healthcare organizations to comply with HIPAA through mock assessments, secure data protection, facility access control, encryption, and decryption, restricting third party access, authentication of data, and more. We can provide end to end cybersecurity advice, expertise and implementation for your healthcare organization. Get in touch with our experts who have in-depth technical knowledge and experience to help you comply with HIPAA. Contact our healthcare team.
Read what IAM can bring to Covered Entities to remain compliant and safeguard Protected Health Information (PHI).