ACHIEVING HIPAA COMPLIANCE WITH MANAGED SECURITY SERVICES
The Health Insurance Portability and Accountability Act (HIPAA) requires that the Department of Health and Human Services (HSS) establish national standards to address the security and privacy of healthcare data and electronic healthcare transactions, as well as provide national identifiers for providers, health plans, and employers. Its primary goal is to simplify the administrative processes of the healthcare system and to protect patient privacy. To help healthcare organizations comply with privacy requirements, the rule titled “Security Standards for the Protection of Electronic Protected Health Information (EPHI),” commonly known as the Security Rule, has been adopted in order to implement the various provisions of HIPAA. In general, Covered Healthcare Providers, Health Plans, Healthcare Clearing Houses, and Medicare Prescription Drug Card Sponsors must comply with the standards, requirements, and implementation specifications of the HIPAA Security Rule, including:
- Administrative Safeguards – administrative actions, policies, and procedures designed to manage the selection, development, implementation and maintenance of security measures that protect electronic health information. These safeguards also manage the conduct of the covered entity’s workforce in relation to the protection of said information. The Administrative Safeguards comprise over half of the HIPAA security requirements and compliance with these safeguards requires an evaluation of security controls already in place, accurate and thorough risk analysis, and a series of documented solutions derived from factors that are unique to each covered entity
- Physical Safeguards – physical measures, policies, and procedures designed to protect a covered entity’s electronic information systems, related buildings and equipment from natural and environmental hazards, as well as unauthorized intrusion. When evaluating and implementing these safeguards, a covered entity must consider all physical access to EPHI beyond an actual office, such as workforce members’ homes or other physical locations where they might access EPHI.
- Technical Safeguards – the technology, and the policies and procedures associated with its use, that protect EPHI and control access to it. Technical safeguards are becoming more important as healthcare organizations are faced with the challenge of protecting EPHI from various internal and external threats. Based on the fundamental concepts of flexibility, scalability and technology neutrality, these safeguards allow a covered entity to determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.
Compliance with these security standards, as defined by HIPAA, is imperative to the ongoing business operations of healthcare companies. Failure to comply may result, not only in regulatory sanctions and fines but also a direct business loss as a result of lawsuits, damage to an organization’s reputation, and degradation of the public’s trust.