This is a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information. Because it is an overview of the Security Rule, it does not address every detail of each provision. Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically
based functions. Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in
the adoption rate of these technologies increases the potential security risks. A major goal of the Security Rule is to protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for
the entity's particular size, organizational structure, and risks to consumers' e-PHI. This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. To make it easier to review the complete requirements of the Security Rule, provisions of the
Rule referenced in this summary are cited in the end notes. Visit our Security Rule section to view the entire Rule, and for additional helpful information about how the Rule applies. In the event of a conflict between this summary and the Rule,
the Rule governs. HIPAA called on the Secretary to issue security regulations regarding measures for
protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003.2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality,
integrity, and availability of e-PHI. The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C. Read more about covered entities in the
Summary of the HIPAA Privacy Rule. See additional guidance on business associates. Specifically, covered entities must:
The Security Rule defines "confidentiality" to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, "integrity" means that e-PHI is not altered or destroyed in an unauthorized manner. "Availability" means that e-PHI is accessible and usable on demand by an authorized person.5 HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity's business, as well as the covered entity's size and resources. Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:
Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.7 Risk Analysis and Management
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Required and Addressable Implementation Specifications
Organizational Requirements
Policies and Procedures and Documentation Requirements
State Law
Enforcement and Penalties for Noncompliance
Compliance Dates
Copies of the Rule and Related Materials
End Notes[1] Pub. L. 104-191. [2] 68 FR 8334. [3] 45 C.F.R. § 160.103. [4] 45 C.F.R. § 164.306(a). [5] 45 C.F.R. § 164.304. [6] 45 C.F.R. § 164.306(b)(2). [7] 45 C.F.R. § 164.306(e). [8] 45 C.F.R. § 164.306(b)(iv). [9] 45 C.F.R. § 164.308(a)(1)(ii)(B). [10] 45 C.F.R. § 164.306(d)(3)(ii)(B)(1); 45 C.F.R. § 164.316(b)(1). [11] 45 C.F.R. § 164.306(e). [12] 45 C.F.R. § 164.308(a)(1)(ii)(D). [13] 45 C.F.R. § 164.306(e); 45 C.F.R. § 164.308(a)(8). [14] 45 C.F.R. § 164.306(b)(2)(iv); 45 C.F.R. § 164.306(e). [15] 45 C.F.R. § 164.308(a)(2). [16] 45 C.F.R. § 164.308(a)(4)(i). [17] 45 C.F.R. § 164.308(a)(3) & (4). [18] 45 C.F.R. § 164.308(a)(5)(i). [19] 45 C.F.R. § 164..308(a)(1)(ii)(C). [20] 45 C.F.R. § 164.308(a)(8). [21] 45 C.F.R. § 164.310(a). [22] 45 C.F.R. §§ 164.310(b) & (c). [23] 45 C.F.R. § 164.310(d). [24] 45 C.F.R. § 164.312(a). [25] 45 C.F.R. § 164.312(b). [26] 45 C.F.R. § 164.312(c). [27] 45 C.F.R. § 164.312(e). [28] 45 C.F.R. § 164.306(d). [29] 45 C.F.R. § 164.314(a)(1). [30] 45 C.F.R. § 164.316. [31] 45 C.F.R. § 164.316(b)(2)(iii). [32] 45 C.F.R. § 160.203. [33] 45 C.F.R. § 160.202.
Content created by Office for Civil Rights (OCR) What is data governance quizlet?Data Governance. "enterprise authority that ensures control and accountability for enterprise data through the establishment of decision rights and data policies and standards that are implemented signed roles, responsibilities, and accountability.
What are the rules that help ensure the quality of data?Relevancy: the data should meet the requirements for the intended use. Completeness: the data should not have missing values or miss data records. Timeliness: the data should be up to date. Consistency:the data should have the data format as expected and can be cross reference-able with the same results.
How is data governance different from data management quizlet?At the tactical level, data stewards oversee the creation, collection, classification, usage and access to data. Data management controls the process of monitoring the implementation of those strategies and reporting to the strategic data governance committee.
Which of the following will be a fact measure in a data cube used at a chain retail business?Typically, the fact measure in a data cube for a chain retail business is the revenue (such as the $900 revenue from jeans purchases in Indiana during the second quarter).
|