In 1996, the U.S. Congress passed the
Health Insurance Portability and Accountability Act
(HIPAA). The act includes two sections. The first, Title I, provides health insurance coverage after
The IT
The most commonly identified component of the act is a body of data collectively known as
protected health information (PHI)
. These data represents the entire spectrum of individually identifiable health-related information. Any entity that maintains and uses individually identifiable PHI is subject to the act. The effective scope of HIPAA encompasses everyone from
Two rules were published in the Federal Register by the Department of Health and Human Services after HIPAA was passed. The HIPAA Privacy Rule was published in December 2000, and the HIPAA Security Rule was published in February 2003.
The HIPAA Privacy Rule is focused mostly on administrative controls designed to protect patient privacy, such as securing or masking medical
The HIPAA Security Rule is focused on technical controls such as network perimeter protection encryption and workstation security. The HIPAA Security Rule is broken out into high-level standards and implementation specifications that support each standard. Implementation specifications are either required (mandatory) or addressable (required unless justified
|
Standard |
Security Rule Reference |
Implementation Specification |
|---|---|---|
|
Administrative Safeguards |
||
|
Security management process |
164.308(a)(1) |
Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) |
|
Assigned security responsibility |
164.308(a)(2) |
Assigned Security Responsibility (R) |
|
Workforce security |
164.308(a)(3) |
Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) |
|
Information access management |
164.308(a)(4) |
Isolating Health Care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) |
|
Security awareness and training |
164.308(a)(5) |
Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) |
|
Security incident procedures |
164.308(a)(6) |
Response and Reporting (R) |
|
Contingency plan |
164.308(a)(7) |
Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) |
|
Evaluation |
164.308(a)(8) |
Evaluation (R) |
|
Business associate contracts and other arrangements |
164.308(b)(1) |
Written Contract or Other Arrangement (R) |
|
Physical Safeguards |
||
|
Facility access controls |
164.310(a)(1) |
Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) |
|
Workstation use |
164.310(b) |
Workstation Use (R) |
|
Workstation security |
164.310(c) |
Workstation Security (R) |
|
Device and media controls |
164.310(d)(1) |
Disposal (R) Media Reuse (R) Accountability (A) Data Backup and Storage (A) |
|
Technical Safeguards |
||
|
Access control |
164.312(a)(1) |
Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) |
|
Audit controls |
164.312(b) |
Audit Controls (R) |
|
Integrity |
164.312(c)(1) |
Mechanism to Authenticate Electronic Protected Health Information (A) |
|
Person or entity authentication |
164.312(d) |
Person or Entity Authentication (R) |
|
Transmission security |
164.312(e)(1) |
Integrity Controls (A) Encryption (A) |
For large health care organizations, compliance with HIPAA provisions has been expensive but did not
Successfully
Compliance with HIPAA is