Security Standards
There is often confusion about the difference
between privacy, confidentiality and security. In the context of HIPAA,
privacy determines who should have access, what constitutes the patient.
s rights to confidentiality, and what constitutes inappropriate access
to health records. Confidentiality establishes how the records (or the
systems that hold those records) should be protected from inappropriate
access. Security is the means by which you ensure privacy and confidentiality.
Background:
One of the provisions of HIPAA calls for electronic data interchange
(EDI) transaction standards. The logic behind the set of requirements
was that it would facilitate the computer-computer exchange of information
throughout the care delivery system. Making these transactions easier,
however, may increase the risk of inappropriate access to sensitive
information. Consequently HIPAA also calls for security standards.
Goal:
The new security standards were designed to protect all electronic health
information from improper access or alteration, and to protect against
loss of records. Health plans,
health care clearinghouses, and health care providers would use the
security standards
to develop and maintain the security of all electronic individual health
information. The Security and Electronic Signature Standards have set
the minimum level of security for individually identifiable health information
maintained in or transmitted by health care organizations. The electronic
signature standard is applicable only with respect to use with the specific
transactions defined in the Health Insurance Portability and Accountability
Act of 1996, and when it has been determined that an electronic signature
must be used.
Specifics:
The proposed regulation on Security standards has categorized the requirements
into six categories: administrative procedures; physical safeguards;
security configuration management; technical security services, technical
mechanisms, and electronic signatures. Although the requirements in
these categories overlap, they are intended to help organizations understand
the different types of requirements needed for a comprehensive security
approach.
Administrative Procedures:
- Certification
- Chain of trust Partner Agreements
- Contingency Plan
- Formal Mechanism for Processing Records
- Information Access Control
- Internal Audit
- Personnel Security
Physical Safeguards:
- Assigned Security Responsibility
- Media Controls
- Physical Access controls
- Policy / Guidelines on Workstation Use
- Secure Workstation Location
- Security Awareness Training
Security Configuration Management:
- Security Incident Procedures
- Security Management Process
- Termination Procedures
- Training
Technical Security Services:
- Access Controls
- Audit Controls
- Authorization Controls
- Data Authentication
- Entity Authentication
Technical Security
Mechanism:
- Communication/Networking Controls
- Network Controls
Electronic Signature:
Each health care organization is also required to designate someone
as having the responsibility of ensuring that the company complies with
the minimal level of security as outlined in the regulations.
Impact:
Whether your organization's current security infrastructure meets the
minimum security standards or not, every organization covered by the
standards will need to have the ability to demonstrate that effective
management, operational, and technical controls are in place and that
they comply with the minimum level.
