The HIPAA Security Rule is a vital part of the Health Insurance Portability and Accountability Act of 1996 that thousands of organizations throughout the United States are required to comply with. If your organization is covered by the Act, it is important that you understand the HIPPA Security Rule and take the steps necessary to be compliant to the rule.
Basically the rule applies to electronic protected health information, or EPHI, which is individually identifiable health information, or IIHI, in electronic form. The IIHI pertains to the patient’s future, present or past mental or physical condition, his provision of health care and future, present and past payment for such provision of health care. The foremost concern of the HIPAA Security Rule is to protect the integrity, confidentiality and availability of the EPHI when it is stored, maintained or transmitted.
The organizations that are required to comply, or Covered Entities (CEs), are group health plans, HMOs and similar entities, health care providers such as hospitals, doctors and dentists who transmit EPHI, and health care clearing houses like billing and medical transcription companies. To protect the integrity, confidentiality and availability of their EPHI, CEs are required to maintain appropriate and reasonable technical, physical and administrative safeguards within their operational systems and policies.
Aside from the civil and criminal penalties, the consequences for non-compliance to the HIPAA Security Rule that may severely affect the continuing viability of the organization are: negative publicity, loss of customers or clients and business partners. Under the guiding principles, all CEs must: be able to comply with the rule regardless of size; have a cohesive security approach based on “defense in depth” principle; protect their EPHI against both external and internal threats; choose the appropriate technology to protect its EPHI; and regularly conduct a thorough risk analysis.
The key concepts of the HIPAA Security Rule provides that: CEs are required to comply with best security practices and principles; CEs must undertake appropriate measures to control or mitigate anticipated risks to their EPHI and balance their business requirements and resources against such risks; universal compliance to the rule by all members of the CEs; CEs must document their security procedures, policies and processes; and, CEs must conduct regular awareness and security training to its workforce and revise policies and procedures as the need arises.
The HIPAA Security Rule requires all CEs to put in place administrative, physical and technical safeguards to ensure the safety, integrity and confidentiality of their EPHI. CEs found to be non-compliant to the HIPAA Security Rule face civil penalties ranging from $100 per violation up to $25,000 per annum for every requirement violated. Criminal penalties, on the other hand, range from a fine of $50,000 plus a one-year imprisonment up to $250,000 in fines plus 10 years of imprisonment.