Beyond the Business Basics
Any business or individual that is a covered entity under HIPAA regulations must comply with HIPAA security rules. Medical providers, insurance companies, medical software vendors or intermediaries, and anyone who is likely to house or see patient medical information in the course of business is a covered entity. This includes vendors who process or store information in purely electronic formats.
Three Facets to the HIPAA Security Rule
Three major sections make up the HIPAA Security Rule.
- Providers must put administrative safeguards in place to protect information. Administrative practices include hiring appropriate staff, training employees to protect information, and securing information via personnel.
- Covered entities must provide physical safeguards. Information can’t be left in the open and equipment and physical access must comply with minimum requirements.
- Finally, technical safeguards must be part of data housing, access and transmission processes.
Information that Must be Secured
Covered entities are charged with keeping personal health information safe, whether that information is saved on servers, uploaded or downloaded, in use, or in the process of disposal. Covered entities are allowed to communicate with each other about patient health data, but electronic communications–including claims billing–must be encrypted and kept safe with passwords and limited access.
What Happens if Security is Breached?
Security breaches do happen. Early identification and action can help a covered entity reduce the impact of the breach. Entities must report a HIPAA breach following specific steps laid out by the HIPAA law. Even an unintentional breach could result in fines and other expenses for a provider, however, so it’s best to take a proactive approach to data security.
What’s your take on the HIPAA Security Rule?