What is HIPAA?
Why do I need to be HIPAA Security compliant?
The Health Insurance Portability and Accountability Act (HIPAA) law requires all health covered entities or organizations and
business associates to safeguards the privacy of patient health information.
Also, the HIPAA law requires covered entities and business associates to
implement required security measures to protect patient health information.
What is the difference between the HIPAA
Privacy and the HIPAA Security Rules?
The Privacy Rule sets the standards for how protected patient health
information should be controlled. The Security Rule defines the
standards which require CE to implement basic safeguards to protect ePHI.
Privacy depends upon security measures: no security, no privacy.
How
are HIPAA Privacy and Security rules linked?
The Security and Privacy Rule are distinct but inextricably link,
privacy of information depends in large part upon existence of security
measures. The HIPAA Security Rule defines the standards, which require
CE to implement basic safeguards to protect ePHI. The Privacy Rule sets
the standards for how protected ePHI should be controlled.
What
does HIPAA mean by electronic media?
Electronic storage media including memory in computers, (hard drives)
and any removable/transportable digital memory medium such as magnetic
tapes or disk, optical disk, memory card, or transmission media used to
exchange information (internet, leased lines, dial-up, intranets,
private networks.)
What does electronic protected health
information (ePHI) mean?
If the patient health information is computer based meaning stored or
maintained or processed, it is electronic patient health information and
protected individually identifiable health information. This includes
enrollment, eligibility individually health information that is
transmitted by electronic media, maintained in electronic media. It
includes reports generated from computers that contain ePHI, and ePHI
disclosed through IVR (Interactive voice response) systems. ePHI
transmitted through FAX and telephone is not covered by the HIPAA
Security Rule, although that information is covered by the HIPAA Privacy
Rule.
What is the definition of common control?
Common control exists if an entity has the power, directly or
indirectly, significantly to influence or direct the actions or policies
of another entity. This means that organizations or covered entities
that are the custodians of patient health information must secure it and
take appropriate safeguards to ensure patient health information shared
or used by outside vendors, they contracted with, is also protected.
What does HIPAA mean by security standards?
A covered entity must comply with the standards with respect to all
electronic protected health information.
What does implementation
specifications mean?
There are two types of specification, those that are required and those
addressable. If it is a required implementation specification, it must
be implemented. If it is addressable, a covered entity must assess
whether each is a reasonable and appropriate safeguard, AND, implement
if reasonable and appropriate, OR document why it would not be
reasonable and appropriate, AND implement an equivalent alternative
measure if reasonable and appropriate.