Medical confidentiality depends on privacy (limiting disclosure) and security (protecting PHI from harm).
The Privacy Rule came into effect two years before the Security Rule. The mini-security rule § 164.530(c) was inserted in the Privacy Rule to summarize the concept of safeguards without specifying the details. The mini-security rule currently applies to all kinds of PHI maintained in any form whatsoever (i.e., paper, verbal, electronic).
"A covered entity (CE) must have in place appropriate administrative , technical , and physical safeguards to protect the privacy of protected health information (PHI)..." and "...must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of..." HIPAA and "... reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure." § 164.530(c)
Administrative safeguards is an organizational standard in the Security Rule. §§ 164.302-164.318.
The Security management process stated in section (a)(1) is the most important standard.
Risk analysis is fundamental to any compliance program. It requires entities to...Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality , integrity , and availability of e-PHI held by the CE or BA. § 164.308(a)(1)(ii)(A)
Outsourcing risk analysis is common practice for small businesses. HHS has developed guidelines to help CEs with this analysis. See Guidance on Risk Analysis.
CEs and business associates (BAs) must "...identify the security official who is responsible for the development and implementation of the policies and procedures required by..." the Security Rule. § 164.308(a)(2)
The CE or BA's security official must "...implement policies and procedures to prevent, detect, contain, and correct security violations." § 164.308(a)(1)(i)
Physical safeguards are needed to protect e-PHI from physical threats.
Facility access controls requires "...policies and procedures to limit physical access..." to areas where e-PHI is kept. § 164.310(a)
Workstation use requires "...proper functions to be performed..." and to control "...the physical attributes of the surroundings of ...workstation(s) that can access e-PHI." § 164.310(b)
Workstation security requires "...physical safeguards for all workstations that access e-PHI..." and "...to restrict access to authorized users." § 164.310(c)
Device and media controls "...govern(s) the receipt and removal of hardware and electronic media that contain e-PHI...and the movement of these items within the facility." § 164.310(d)
Technical safeguards are electronic tools for protecting e-PHI.
Access control requires "...technical policies and procedures ... to allow access only to those ... granted access rights. § 164.312(a)
Audit controls are "... mechanisms that record and examine activity in information systems that contain or use e-PHI." § 164.312(b)
Integrity mechanisms "...protect e-PHI from improper alteration or destruction." § 164.312(c)
Authentication standards ... verify that a person...seeking access to e-PHI is the one claimed." § 164.312(d)
Transmission security guards "...against unauthorized access to e-PHI that is being transmitted over an electronic communications network." § 164.312(e)
HIPAA has stringent requirements for disposing (or reusing) of hardware and electronic media with e-PHI. CEs and BAs are required to "...maintain a record of the movements of hardware and electronic media and any person responsible therefore." § 164.310(a)(1)
It is natural for small providers to hire responsible professionals to help with destruction or recycling electronic equipment. NAID is the international trade association that governs information destruction service companies.
"Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner." § 164.304
"Availability means the property that data or information is accessible and useable upon demand by an authorized person." § 164.304
The C-I-A security triad is a well-recognized framework for designing security safeguards. Confidentiality relates to privacy; Integrity applies to data; and Availability applies to e-PHI and data necessary for smooth business operations.
The business associate (BA) contract is an opportunity for small businesses to review the C-I-A triad to make sure both entities are comfortable with the risk of doing business.
Large entities usually have security experts on staff, whereas solo practitioners usually make their own decisions. Therefore, it is natural for a small provider (or small BA) to avail themselves of the larger entity's expertise.
CEs must not delegate HIPAA compliance to a vendor. Professional judgment often comes into play in determining the practitioner's obligations under HIPAA.
If you prefer a different size or shape, please ask. Contact
© Darnall Law Office 2015