Healthcare providers operating in the United States are required by law to comply with the Health Insurance Portability and Accountability Act (HIPAA) and its respective rules. Among these rules is the Security Rule, which, according to the Department of Health and Human Services (HHS) website, is a set of standards for the protection of Electronic Protected Health Information (EPHI). While it's recommended that you read the Security Rule in its entirety, there are four general requirements set forth.
1.) Ensure confidentiality, integrity and availability of all EPHI.
The first primary requirement of the HIPAA Security Rule is to ensure the confidentiality, integrity and availability of all EPHI that is created, received, maintained and/or transmitted by the respective covered entity. Covered entities must put forth the effort to protect patients' digital files and data from unauthorized access or use. For instance, covered entities should use a combination of physical, technical and administrative safeguards to protect EPHI.
2.) Identify and protect against reasonably anticipated threats to EPHI.
Another requirement of the HIPAA Security Rule is to identify and protect against reasonably anticipated threats to EPHI – the keyword being “reasonably.” There's no way to fully protect against all digital threats, but covered entities should due to their diligence to identify potential vulnerabilities and correct them whenever possible. Conducting regular risk assessments is one technique that can be used to identify such threats – and it is also a requirement of HIPAA.
3.) Protect against reasonably anticipated, impermissible uses or disclosures.
A third requirement of the HIPAA Security Rule is to protect against reasonably anticipated, impermissible uses or discloses. If a covered entity discloses EPHI without the patient's consent, it could be subject fines and other corrective action enforced by the Office for Civil Rights (OCR). EPHI disclosures may also occur when a worker's laptop is lost or stolen. If the laptop contains EPHI, safeguards should be used to prevent unauthorized individuals from accessing the data.
4.) Ensure compliance by workforce.
Last but not least, covered entities must ensure compliance of the HIPAA Security Rule by their workforce. It only takes one “bad apple” to trigger a violation. There are dozens of horrors stories involving healthcare workers who violated HIPAA, only for their employer to be punished. Covered entities should designate someone as the Security Officer and Privacy Officer to assist with worker compliance and overall knowledge of HIPAA.