The Health Insurance Portability and Accountability Act outlines several different requirements for covered entities under its Security Rule. These requirements are used to better protect patients' information, reducing the risk of disclosure by unauthorized individuals. Unfortunately, many covered entities turn a blind eye to the Security Rule, which subsequently places them at risk for violations during an audit.
#1) Ensure confidentiality, integrity and available of Protected Health Information (PHI).
This first requirement is relatively straightforward. Covered entities must implement measures to protect sensitive patient information while still keeping it available to the patient and authorized employees and/or business associates. Leaving patient files scattered across a desk that's visible from the waiting room won't suffice, nor will storing unencrypted copies of PHI on the Cloud.
#2) Identify and protect against anticipated security threats.
The HIPAA Security Rule also states that covered entities must take a proactive approach towards identifying and anticipating against potential security threats. Even if you 'think' you are safe from a cyber attack, you must still take measures to protect against possible security threats. If you believe a worker is attempting to access PHI without authorization, it's your responsibility to take action before the problem spirals out of control.
#3) Protect against anticipates impermissible use or disclosure of PHI.
This requirement goes hand in hand in with the one listed above. Covered entities must anticipate the unauthorized use and/or disclosure of sensitive patient information. When you're busy running your day-to-day operations, you may forget about the potential for a cyber attack. However, HIPAA requires covered entities to be prepare and mindful of attacks and unauthorized use of PHI.
#4) Ensure compliance by employees.
HIPAA states that covered entities must ensure that all employees are compliant. Even if you're familiar with HIPAA laws, other employees may not be. As an employer, it's your responsibility to educate and train employees on the Health Insurance Portability and Accountability Act. If an employee happens to accidentally disclosure PHI, your entire practice could be held liable.
#5) Physical, Administrative and Technical Safeguards
Last but not least, HIPAA requires covered entities to implement administrative, physical and technical safeguards to protect PHI. We've talked about this before on our blog, but physical safeguards consist of tangible measures like locked doors and privacy screens for computers, whereas technical safeguards consist of measures like encryption, firewalls and virus scanners.