Securing electronic Protected Health Information (ePHI) is a priority for the HSC. To ensure that workforce members employ high standards when creating, storing or transmitting patient information, the HSC has created an Information Security Office and the role of the HIPAA Security Officer to oversee and manage the security of ePHI.
HIPAA Security Laws: Goals and Objectives
The HIPAA Security Rule covers the following topics:
- Maintenance of the integrity, privacy and availability of ePHI created, received, transmitted and maintained
- Protection of ePHI from anticipated hazards and risks that may compromise its security and integrity
- Protection of ePHI from wrongful disclosure or use as specified under the Privacy Rule
Security Rule Organization
Compliance with the Security Rule requires covered entities to understand the following definitions with regard to integrity, availability and confidentiality, as specified in § 164.304:
- Confidentiality: This applies to any information or data that is withheld from unauthorized people or processes according to HIPAA Security Standards.
- Integrity: This refers to the maintenance of any protected information from alterations or distortion using unauthorized processes.
- Availability: This refers to the act of ensuring the accessibility of protected information only to authorized persons and processes when required.
Security Standards: General Rules
- Ensures flexible approaches.
- Establishes both required and addressable implementation specifications and standards.
- Facilitates the implementation of different security measures to ensure the protection of ePHI to the required standards.
- Administrative Standards—This section refers to all efforts, procedures and policies that will ensure the implementation, development, maintenance and selection of relevant security measures to ensure the protection of ePHI demanded by a covered entity’s workforce.
- Physical Standards—These are the policies, physical measures and procedures used or necessary in the protection of covered entities’ ePHI from possible hazards and unauthorized use or access to it.
- Technical Security Measures—These measures specify the use of technology and policies that will enhance protection and access to ePHI.
- Organizational Requirements—This section refers to standards and procedures to be used in business associate contracts’ or related arrangements such as Memorandums of Understanding (MoU’s) between covered parties and business associates, ensuring adherence to privacy and protection of ePHI.
- Policies and Procedures and Documentation Requirements—This section refers to the implementation of Security Rule specifications to reasonable and acceptable standards, among other requirements, such as using policies, procedures, rules, regulations and action as stipulated under the Security Rule for the maintenance and use of ePHI and control of access to ePHI.