The Health and Insurance Portability and Accountability Act was enacted in 1996 to lower the cost of health care in the United States, give its citizens better access to health insurance and reduce abuse and fraud. The most significant portion of this Act is the Security Rule, which covers thousands of organizations called “Covered Entities.” Before such covered entities can take the steps needed for HIPAA compliance, it is important that they first understand the rule. Covered entities should consider the following steps when preparing to comply with the Security Rule.
HIPAA compliance requires a lot of money, time and effort. That is why it is crucial to educate senior management about the Security Rule and for them to make a clear statement of support for compliance, and if possible, they should willingly sponsor compliance projects. Before even starting security processes, covered entities should identify and define the security policies that they need to develop and implement. They should craft the strategic security goals of their organization to ensure a focused and integrated security effort. A formal and documented security policies and procedures are clear manifestations of senior management’s desire to move their organization towards HIPAA compliance.
The goal of the HIPAA Security Rule is to ensure the integrity, confidentiality and availability of Electronic Protected Health Information. For this to happen, covered entities must first conduct and maintain an inventory of their EPHI and document both the internal and external flow of EPHI. Compliance with the Security Rule begins with the people who make the organization. Implementing security policies and technology without understanding the underlying culture and politics in an organization is bound to fail. It is imperative in this regard that members of the workforce be educated about the requirements of the Security Rule and the importance of protecting the EPHI. Soliciting workforce participation in crafting security policies and in the feedback process can go a long way in ensuring HIPAA compliance.
Covered entities should also undertake regular risk analysis that basically entails the identification of, and assessment of risks to their EPHI so that senior management may be able to allocate the necessary resources to mitigate the impact these risks and protect these EPHI. The Security Rule does not, however, expect covered entities to devote all of its resources, effort and time to provide the perfect security against all possible risks at the expense of its organization as a going concern. Covered entities are instead enjoined to understand their EPHI and the reasonably anticipated risks so that they can develop security procedures that are reasonable and appropriate. Having done these, covered entities are then required to formally document their security policies, procedures and controls that should be approved by senior management with the understanding that these shall be regularly reviewed and modified as necessary. Covered entities must appreciate that risks, rules and laws change over time and they should be prepared to respond to these changes.