In this article, let us explore a bit about origin of HIPAA privacy & security rules and its major parts such as – who are covered, what information is protected, and what safeguards need to be in place to protect electronic health information stored in the cloud, mainly in the context of HIPAA complaint […]
In this article, let us explore a bit about origin of HIPAA privacy & security rules and its major parts such as - who are covered, what information is protected, and what safeguards need to be in place to protect electronic health information stored in the cloud, mainly in the context of HIPAA complaint file sharing.
HIPAA (Health Insurance Portability & Accountability Act of 1996) enforced the Secretary of the US HHS to develop regulations that protect the security and privacy of health information that is stored in the cloud. In accordance, HHS published the HIPAA privacy and security rule.
The Security Rule puts in motion the protections from the Privacy Rule, and addresses technical as well as non-technical safeguards which the organizations need to have in place for securing e-PHI.
Before HIPAA, there were no accepted security standards or requirements to protect cloud information. New technologies kept evolving, and the industry started moving away from paper and began relying on electronic systems more for paying claims, proving eligibility, providing and sharing information, etc.
Today, providers use clinical applications like CPOE systems, EHR, pharmacy, radiology, etc. Health plans provide access to care and claim management and self-service applications. This may mean that the workforce is more efficient and mobile, but the potential security risk also increases at the same time.
One of the main goals of this rule is to protect individual privacy with regard to cloud information while entities are allowed to adopt new technology to improve the efficiency and quality of patient care. The security rule is scalable and flexible which means covered entities can implement procedures, policies, technologies, etc. which are appropriate for their size and organizations structure.
This rule, just like all administrative rules, applies to health care, health plans, clearinghouses and any health care providers who transmit health information electronically.
This rule protects individually identifiable information known as PHI (Protected Health Information). It protects the subset of all information covered in the privacy rule which is all of the individually identifiable information created, received, maintained or transmitted electronically by an entity. It doesn't apply to PHI which is transmitted in writing or orally.
On related note, here is a good article on What is PII and PHI? Why is it Important?
The rule requires all covered entities to maintain an appropriate and reasonable technical, physical and administrative safeguard for e-PHI. Covered entities must:
The provisions in the rules need entities to conduct risk analysis as a part of security management. The management provisions and risk analysis of this rule are separately addressed here, since determining which security measures are appropriate for an entities shapes the safeguard implementation for the rule.
Covered entities need to adopt appropriate and reasonable procedures and policies for complying with provisions of the rule. They must maintain, until six years after the date of creation or last effective date, written procedures, policies, and records, of required activities, actions and assessments.
Updates: Covered entities need to periodically update documentation as a response to organizational or environmental changes which affect the security of e-PHI.
Compliance: The rule establishes a set of standards for confidentiality, availability, and integrity of e-PHI. The HHS and OCR are responsible for enforcing and administering standards, in connection with their enforcement of the Privacy Rule and might even conduct investigations into complaints and reviews for compliance.
Author: Rahul Sharma