Contributed by Lee Kim
Under HIPAA, both covered entities (e.g., health plan, health care clearinghouse, and health care providers) and business associate (i.e., individuals or entities that use or disclose protected health information ("PHI") on behalf of the covered entity) are required to comply with the Privacy and Security Rules. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Covered entities and business associates must comply with the Security Rule. Every covered entity and business associate, regardless of size, must conduct a risk analysis and perform risk management with regard to their information technology infrastructure. It is important not to overlook the security of mobile/external devices such as memory cards, USB/thumb drives, CDs, DVDs, tapes, etc. (The HIPAA Security Rules have a set of implementation specifications to ensure compliance with the Rules.) (Violations under the HIPAA Security Rule can range anywhere from $100 to thousands of dollars for each violation under present law.)
Whether one is a business associate or a covered entity, one must have policies and procedures in place in accordance with the HIPAA Privacy and Security Rules. In addition, the workforce of the covered entity or business associate must be regularly trained with regard to the requirements under these Rules and any changes in these Rules.
If you are in need of assistance in terms of developing policies and procedures which comply with the Rules, have questions about implementing the Rules, and/or are in need of training, please do not hesitate to contact us.