With the Office of Civil Rights (OCR) conducting the second phase of its Health Insurance Portability and Accountability Act (HIPAA) audits, doctors and other covered entities should put forth the effort to ensure they are in full compliance with HIPAA. As you may already know, HIPAA consists of the Security Rule, Privacy Rule and Breach Notification Rule. Of those three, covered entities experience the greatest difficult with the Security Rule. So, what steps can you take to ensure your practice complies with the HIPAA Security Rule?
5 Standards of Technical Safeguards
The HIPAA Security Rule specifically required covered entities to implement five standards under the Technical Safeguards section: access control, audit controls, integrity, authentication, and transmission security. These are pretty straightforward, but nonetheless they are an important part of HIPAA compliance.
4 Standards of Physical Safeguards
Equally as important as technical safeguards are physical safeguards. These are tangible measures that protect against the unauthorized use or disclosure of PHI. In the HIPAA Security Rule, the OCR requires covered entities to implement four specific standards of physical safeguards: facility access controls, workstation use, and device and media controls.
9 Standards of Administrative Safeguards
Covered entities must also implement 9 standards of administrative safeguards: security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation, business associate contracts and other agreements.
When looking at the administrative safeguards, it's important to note the use of business associates contracts. Also known as Business Associates Agreement (BAA), they are needed anytime you conduct business with a third party, and that party has access to PHI.
Electronic Protected Health Information (ePHI) must be properly disposed of; otherwise, nefarious individuals could retrieve patients' personal information. There are service providers who specialize in ePHI disposal, although covered entities are allowed to perform the disposal themselves, assuming they don't disclose any ePHI in the process.
What about encryption? If you read through the HIPAA Security Rule in its entirety, you'll notice that covered entities are not required to implement encryption. Rather, it's listed as an addressable specification. This doesn't necessarily mean that you should not use encryption, however. An addressable specification simply means that covered entities (and business associates) should implement it when useful and appropriate for preventing the unauthorized use or disclosure of PHI.