The Health Insurance Portability and Accountability Act (HIPAA) has three major rules; the Privacy Rules, the Security Rule and the Breach Notification Rules. Each of these rules covers a specific area of health information. The aim of the Health Insurance Portability and Accountability Act (HIPAA) Security Rules is to protect the confidentiality, integrity and availability of electronic Protected Health Information (ePHI). To this end the HIPAA Security Rules specifies safeguards that must be implemented by health care providers who are Covered Entities (CE) and their Business Associates (BA) in order to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). Every Covered Entity (CE) and their Business Associates (BA) must put policies and procedures in place that will protect the ePHI and implement policies and procedures to protect the security of ePHI they create, receive, maintain, or transmit. The Covered Entities (CEs) must carry out a risk analysis in its environment and come up with solutions to the risks identified in the risk analysis according to the standards of the HIPAA Security Rules.
Whatever the nature of the Covered Entity’s (CE’s) business, its size, complexity, and resources, the CE must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit, identify, protect against reasonably anticipated threats to the security or integrity of the ePHI and protect against reasonably anticipated, impermissible uses or disclosures and ensure compliance by their workforce.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not dictate in specific terms the security measures Covered Entities are to employ to protect their patients’ ePHI, it however stipulates some things that must be taken into consideration when creating security measures.
As a CE you must consider the size, complexity, and capabilities of your facility, the technical, hardware, and software infrastructure, the costs of security measures and the likelihood and possible impact of risks to ePHI.
As a CE, you must carry out reviews and modification of security measures to continue protecting ePHI in a changing environment.