Archive Compliance - Email Archiving Compliance that meets HIPAA, SEC, and FINRA Regulations

Home

HIPAA security rule

The HIPAA security rule is another facet of the Act at large, and separate from the privacy rule. It still pertains to the privacy of PHI, but concentrates more on the security of the information rather than who can access it. The body responsible for this is the Department of Health and Human Services (HHS) and it maintains the standards and implementation of the Security rule.

The security rule states that any entity covered under HIPAA must take certain steps to ensure proper protection of PHI. To ensure the confidentiality and availability of PHI in any form transmitted and received in any form or method. To protect against threats to security of this information as well as disclosure or leaking of the PHI.

There are four main sections of requirements to the rule and they are;

Administrative. Overall security and workplace safeguards to the area where PHI is stored. It covers things like training and security awareness of staff who handle the information and the ease of access to the storage. Third party dealings and contracts are specifically mentioned in the rule and all dealings with any organization has to be compliant with them. Meaning any contracts or contractors that will have any access to PHI must also be compliant with HIPAA.

Physical. The physical aspect of the rule concerns itself with the infrastructure itself. Building security, and access control. Workstation security and overall IT system security and stability. Generally any facet of security that involved tangible objects. One of the most noteworthy requirements is a secure method of disposing of media that contains or contained medical records. Measures must be taken to ensure this data is completely non-recoverable.

Technical. This is an expansion of physical controls, but purely for the technology involved. Things like the servers and workstations used to store and retrieve PHI. The systems must have secure passwords, automatic logoff, encryption and mechanisms to authenticate users and the records. There must also be a robust auditing system that can record activity, access and the records themselves.

Documentation. There is a whole raft of rules regarding the documentation standard for HIPAA. They cover the policies and procedures for the system, the workplace, the organization and the PHI itself. An organization must have adequate policies in place to manage and make easily accessible and understood its obligations under HIPAA. If actions are taken that are subject to HIPAA, i.e. access to records, then an audit trail must be in place.

It is as wide ranging and as all encompassing as the privacy rule, and as such is as complicated. The requirements are quite stringent and the penalties for non-compliance are meaningful. By trying to do the right thing by protecting patients privacy, the legislators have created a morass of laws and rules that very few people understand. It is advisable that any company who believes they are subject to HIPAA take professional advice to ensure they comply. Personal privacy and information security are big issues today. Any organization seemingly blase or lax in their treatment of this information risks quite a few consequences.