The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires all covered entities to implement a combination of physical, administrative and technical safeguards to protect sensitive patient information from unauthorized use and disclosure. Today, we're going to take a closer look at some of the technical safeguards described in the HIPAA Security Rule.
Among the many technical safeguards that can be used to comply with the HIPAA Security Rule is access controls. The Office for Civil Rights (OCR) requires covered entities to assign a unique identity to each user who accesses their systems for the purpose of identifying and tracking user activity. Furthermore, covered entities must also create a set of policies and procedures for accessing Electronic Protected Health Information (EPHI) in the event of an emergency.
Another type of technical safeguard that's required for HIPAA compliance is audit controls. This involves the use of software or other technologies to monitor and record EPHI access and usage. Without audit controls in place, there's a greater risk of a hacker or some other nefarious individual accessing the entity's EPHI without their knowledge.
While most people are familiar with access and audit controls, integrity can be a bit more confusing. Nonetheless, it's still a required technical safeguard. Integrity basically means that specifications must be implemented which prevent the entity's EPHI from being altered or destroyed by an unauthorized individual.
As the name suggests, entity authentication means the user accessing EPHI must verify that he or she is who they say they are. Users may enter a unique username and password, for instance, to verify their identify. The OCR does not have implementation specifications in place for entity authentication.
This component of the HIPAA Security Rule requires covered entities to implement meaningful and appropriate steps to protect against the unauthorized use of EPHI.
Some of the different implementation specifications of transmission security includes the following:
- Protect EPHI from being altered without it being detected (addressable specification).
- Encrypt EPHI when appropriate (addressable specification).
- Encrypt both stored data and transmitted data.
- Decryption tools should be stored on a device or location that is separate from the EPHI.
These are just a few of the noteworthy technical safeguards as described in the HIPAA Security Rule. Don't just focus on a single safeguard, rather implement all of them into your day-to-day practices.