The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
To comply with the HIPAA Security Rule, all covered entities must do the following:
The HIPAA Security Rule requires covered entities to implement security measures to protect PHI. Patient health information needs to be available to authorized users, but not improperly accessed or used. There are three types of safeguards that you need to implement: administrative, physical and technical.
Administrative Safeguards
Administrative safeguards are the policies and procedures that help protect against a breach. They determine documentation processes, roles and responsibilities, training requirements, data maintenance policies and more. Administrative protections ensure that the physical and technical protections are implemented properly and consistently.
Physical Safeguards
Physical safeguards make sure data is physically protected. They include security systems and video surveillance, door and window locks, and locations of servers and computers. They even include policies about mobile devices and removing hardware and software from certain locations.
Technical Safeguards
Technical safeguards are the technology and related policies that protect data from unauthorized access. Each covered entity needs to determine which technical safeguards are necessary and appropriate for the organization in order to protect its ePHI. The Department of Health and Human Services states that you need to “establish a balance between the identifiable risks and vulnerabilities to ePHI, the cost of various protective measures, and the size, complexity and capabilities of the entity.”