HCISPP HealthCare Information Security and Privacy Practitioner All-in-One Exam Guide by Sean P. Murphy

Author:Sean P. Murphy [Sean P. Murphy]
Language: eng
Format: epub
Publisher: McGraw-Hill
Published: 2020-09-10T16:00:00+00:00

CAUTION The Privacy Rule predates the digitization of healthcare and EHRs. The main focus of the Privacy Rule is PHI in written and oral formats. It is not sufficient for electronic PHI.

HIPAA Security Rule In recognition of the evolution of healthcare information technology (HIT), the HIPAA Security Rule was published in 2005. The rule supported the transition of healthcare data collection, storage, use, and transfer from paper processes to increasingly more electronic information systems to pay claims, answer eligibility questions, provide health information, and conduct a host of other administrative and clinically based functions.

With the increase in mobile applications, electronic information systems, and data access from anywhere at anytime, the risks of unauthorized data access and loss of confidentiality is significant. There is little debate about the benefits HIT has brought to patient care and healthcare organization capabilities. EHRs, networked medical devices, and data analytics are standard, if no longer state-of-the-art. Patients have unparalleled access to their claims and care management through self-service applications. In this environment, to maintain adequate privacy and security protections, the Security Rule was implemented to outline administrative, technical, and physical security controls to guide covered entities to protect the privacy of individuals’ health information while allowing them to adopt new technologies to improve the quality and efficiency of patient care.

The Security Rule recognized a new format for PHI. As data evolved from paper, film, or audio storage to digital, the designation “electronic PHI,” or ePHI, was established. Covered entities must attend to the same concerns of confidentiality, integrity, and availability with ePHI, just as they are required to do for PHI under the Privacy Rule. The Security Rule introduced standards for protecting ePHI according to security controls categorized as administrative, physical, and technical administrative safeguards. It is important to recognize specific types of solutions that fall into several categories.

Administrative safeguards are policies and procedures governing activities such as

• Establishing security training requirements, including sanction policies for personnel who violate policy and procedures

• Outlining security roles and responsibilities, including designation of a security official responsible for implementing the security program

• Authorizing access to ePHI based on role or need-to-know similar to the Privacy Rule standard of limiting uses and disclosures of PHI to the “minimum necessary”

• Periodic evaluation of how well the security policies and procedures meet the requirements of the Security Rule

Physical safeguards are physical measures that protect electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized physical access. The following are some examples of physical controls:

• Facility access and control systems of badges, ID cards, or biometric scanners to limit physical access to authorized personnel only

• Workstation and device security that ensures proper use and access to hardware and software, maintained by limiting systems in plain view or provide tamper-proof locations

• Protect electronic media during transfer, removal, disposal, and reuse

Technical safeguards are technology, information systems, or software applications that are used to ensure reasonable and appropriate levels of protection for ePHI. There are many examples that provide access, audit, integrity, and transmission security.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.