4.2 OVERLAPS AND INTERDEPENDENCIES

4.2 OVERLAPS AND INTERDEPENDENCIES

There are several areas where the requirements of the Privacy and Security Rules overlap or supplement each other. It should also be understood that the Department of Health and Human Services worked to ensure that the Security Rule requirements for electronic information systems worked hand in glove with the relevant requirements of the Privacy Rule.

The Privacy Rule has three rather broad provisions that when interpreted have a number of security implications or dependencies, these are:

1. 'A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.'

2. 'When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.'

3. 'An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested .'

The Security Rule on the other hand is far more specific in its requirements.

Understanding the Overlaps and Interdependencies will enable organizations to more efficiently and effectively use organizational resources to comply with both rules.

In this section we will examine the overlaps and interdependencies that occur in the following areas:

• Training and Awareness

• Appropriate and reasonable safeguards

• Risk Assessment

• Access controls

• Accountability

• Third Party Agreements

• Mapping PHI dataflow:

• Protecting appropriate data: