HIPAA Security Rules
Contributed by Lee Kim, Esquire
lkim@tuckerlaw.com or 412.594.3915
The mention of the HIPAA security rules often provokes an irrational fear in people who are not so technically inclined, but there is a difference between knowing the legal compliance requirements and being an information technology specialist. Here is a simple summary of your security obligations and otherwise recommended practices under the HIPAA security rule. Please note: the HIPAA security rules apply to both covered entities and business associates. Covered entities are obligated to follow the HIPAA security rules and business associates will be obligated to follow them as of February 17, 2010.
In order to have an effective HIPAA security compliance program, the following technical safeguards must be implemented under the current HIPAA Security Rules by both covered entities and business associates:
1) Audits on access to electronic protected health information (“ePHI”) under 45 C.F.R. §312(b).
a. The audits may be manual or automated. The purpose of the audits is to ensure that authorized individuals or entities are accessing the ePHI.
2) Person/entity authentication under 45 C.F.R. §312(d).
a. Procedures must be implemented to ensure that the individual or entity accessing the ePHI is authorized to do so (e.g., passwords, swipe cards, etc.).
3) Integrity of ePHI under 45 C.F.R. §312(c)(1).*
a. Electronic mechanisms should be implemented to ensure that ePHI has not been altered or destroyed in an unauthorized manner.
i. Regardless of whether the ePHI is being retrieved, transmitted, or stored, technical safeguards must be in place to ensure that there is no alteration nor destruction of the data (e.g., digitally signed ePHI, checksum or other error correction technology to ensure that ePHI is stored properly, etc.).
4) Secure transmission of ePHI under 45 C.F.R. §312(e)(1).*
a. A technical security measure must be implemented to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network (e.g., VPN, SSL, encryption, etc.).
5) Encryption of ePHI under 45 C.F.R. §312(e)(2)(ii).*
* The entity should assess whether the technical safeguard is reasonable and appropriate in the operating environment and whether it is likely to contribute to protecting the entity’s ePHI. If the safeguard is reasonable and appropriate, then it should be implemented. If not, the entity should document why it would not be reasonable and appropriate and implement an equivalent alternative measure, if deemed to be reasonable and appropriate.
Please feel free to contact me if you would like assistance in applying the HIPAA security rules to your current situation as a covered entity or a business associate. I may be reached at <lkim@tuckerlaw.com> or by calling 412-594-3915.
