The Health Insurance Portability and Accountability Act (HIPAA) has always emphasized on the need to protect your private data. And keeping in mind the increased usage of electronic medium to manage personal data it has brought in various security measures to protect such information. Accordingly all the covered entities were required to comply with the Security Rule in the year 2005 while it was 2006 for small plans. The Security Rule was concerned with the safety of Electronic Protected Health Information (EPHI) and mentioned the safeguards and security standards to be maintained.
Following are the 3 safeguards which form a part of the Safety Rule and must be adopted by the covered entities after taking stock of their size, infrastructure available, costs involved and the level of security required for protecting their EPHI.
* Administrative Safeguards: A covered entity must first of all have a policy in place which outlines the end-to-end procedures to be followed under this rule. It must also hire a security officer to take care of such procedures and policies. Access to EPHI must be available only to the employees who need the data to perform their duties, besides the access to such information must be kept at a bare minimum. Furthermore the entity must train its workforce so they can function within the policies framed. There must also be sufficient back-up and contingency plans in case of emergencies besides having regular audits to ensure that the procedures are in line with the Security Rule. The entity must ensure such policies are also followed by its vendors and should have these conditions in writing.
* Physical Safeguards: Physical access to the equipment and facilities must be restricted and proper security plans and records must be maintained to follow usage. Besides prescribing specific use of workstation, care should be taken to ensure they are not in public view. Also there must be a definite policy when any of the equipment is discarded or transferred so that the EPHI is safely removed to prevent any misuse.
* Technical Safeguards: Only a limited number of authorized personnel must be allowed to access sensitive EPHI data and there must be a proper mechanism to record such access and any related activity. An entity is responsible for maintaining the integrity of its own EPHI data and should follow adequate procedures to prevent the data from being erased or improper changes being affected. And though access control measures are sufficient when data passes within closed systems, it should be properly encrypted when transmitting it through open networks to prevent interception and misuse.
Besides prescribing security standards the rule also mentions required and addressable specifications alongside. The required specifications are rules that must be strictly followed by all covered entities while the addressable specifications being more flexible allow certain entities to self-evaluate and find the most ideal method of following such specifications. Thus the Security Rule of HIPAA takes into account the need for protecting sensitive information and ensures that the entities handling such data have a built-in mechanism to maintain all the required safeguards.