HIPAA Security

Securing electronic Protected Health Information (ePHI) is a priority for the HSC. To ensure that workforce members employ high standards when creating, storing or transmitting patient information, the HSC has created an Information Security Office and the role of the HIPAA Security Officer to oversee and manage the security of ePHI.

HIPAA Security Laws: Goals and Objectives

The HIPAA Security Rule covers the following topics:

• Maintenance of the integrity, privacy and availability of ePHI created, received, transmitted and maintained
• Protection of ePHI from anticipated hazards and risks that may compromise its security and integrity
• Protection of ePHI from wrongful disclosure or use as specified under the Privacy Rule

Security Rule Organization

Compliance with the Security Rule requires covered entities to understand the following definitions with regard to integrity, availability and confidentiality, as specified in § 164.304:

• Confidentiality: This applies to any information or data that is withheld from unauthorized people or processes according to HIPAA Security Standards.
• Integrity: This refers to the maintenance of any protected information from alterations or distortion using unauthorized processes.
• Availability: This refers to the act of ensuring the accessibility of protected information only to authorized persons and processes when required.

Security Standards: General Rules

Security standards ensure flexible approaches and establish both required and addressable implementation specifications and standards. They facilitate the implementation of different security measures to ensure the protection of ePHI to the required standards through:

• Administrative Standards—This section refers to all efforts, procedures and policies that will ensure the implementation, development, maintenance and selection of relevant security measures to ensure the protection of ePHI demanded by a covered entity’s workforce.
• Physical Standards—These are the policies, physical measures and procedures used or necessary in the protection of covered entities’ ePHI from possible hazards and unauthorized use or access to it.
• Technical Security Measures—These measures specify the use of technology and policies that will enhance protection and access to ePHI.
• Organizational Requirements—This section refers to standards and procedures to be used in business associate contracts’ or related arrangements such as Memorandums of Understanding (MoU’s) between covered parties and business associates, ensuring adherence to privacy and protection of ePHI.
• Policies and Procedures and Documentation Requirements—This section refers to the implementation of Security Rule specifications to reasonable and acceptable standards, among other requirements, such as using policies, procedures, rules, regulations and action as stipulated under the Security Rule for the maintenance and use of ePHI and control of access to ePHI.