Originally signed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) established a set of standards to protect the privacy of healthcare patients. HIPAA consists of several Rules, including the Security, Privacy and Breach Notification Rule, each of which has its own unique purpose. The Security Rule, for instance, focuses strictly on protecting Electronic Protected Health Information (EPHI) from unauthorized use or disclosure, whereas the Privacy Rule covers all forms of PHI.
You can access the entire 49-page document on the HIPAA Security Rule by visiting the Department of Health and Human Services' website here. However, it basically consists of four requirements that covered entities must follow to order to remain compliant.
The first requirement of the HIPAA Security Rule is to ensure the confidentiality and integrity of all EPHI that the covered entity creates, receives, manages or transmits. This is somewhat of a catch-all requirement that covers the basic principle of the HIPAA Security Rule. Doctors, chiropractors, dentists, and all other healthcare providers that are covered under HIPAA must take meaningful and appropriate steps to protect their patients' information from ending up in the wrong hands.
The second requirement is to identify and protect against potential cyber threats that pose a risk to EPHI. This may include hiring an Informations Technology (IT) company to monitor network activity; installing additional firewalls or other security software; and performing regular audits to ensure patients' data is securely protected on the covered entity's network.
The HIPAA Security Rule also requires covered entities to protect against “reasonably anticipated impermissible uses or disclosures.” What exactly does this mean? Well, it means that it a covered entity believes their patients' data is vulnerable to a breach, it must take immediate action to secure the data. This may include shutting down the network temporarily; issuing new patient ID numbers; or installing new security software.
The fourth requirement of the HIPAA Security Rule is to train workers so they are compliant with HIPAA. Workers who fail to follow the requirements set forth by the HHS as it pertains to HIPAA could end up hurting the entire practice for which they work. If an employee's negligence results in the unauthorized use or disclosure of Protected Health Information, the entire healthcare practice could face the consequences. This is why it's critical that healthcare employers train their workforce on HIPAA and its respective Rules.