Get certified in HIPAA for Leaders for just $49.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
Now let’s cover HIPAA Privacy and Security Rules. The HIPAA Security rule covers the electronic use of sharing ePHI as long as safeguards are in place. The HIPAA privacy rule sets standards for how protected health information should be controlled by setting forth what usage and disclosures are authorized or required and what rights patients have with respect to their health information. The Privacy and Security Rules allows covered health care providers to share PHI electronically for treatment purposes, as long as they apply reasonable safeguards when doing so. Thus, for example, a physician may consult with another physician by secure e-mail about a patient's condition, or a health care provider may electronically exchange PHI through Electronic Medical Records for patient care. A covered entity needs to engage administrative, physical, and technical safeguards to protect information. A covered entity needs to perform a risk analysis to determine what measures need to be taken to reduce risks and vulnerabilities to a reasonable and appropriate level. Administrative safeguards include office rules and procedures that keep data secure. Covered entities should designate a security official who is responsible for developing and implementing its security policies and procedures. They should also determine who should be authorized to access PHI. They should also train all staff in security policies and procedures, and apply appropriate sanctions against workforce members who violate the policies and procedures. They should also perform a periodic assessment of how well the security policies and procedures meet the requirements of the Security Rule. An example of administrative security would be allowing only the office manager to send PHI in electronic form. Physical safeguards include: Limiting physical access to facilities while ensuring that authorized access is allowed. Implementing policies and procedures to specify proper use of and access to computers or the position of screens in patient areas. They must also have in place policies and procedures regarding the physical transfer, removal, disposal, and reuse of electronic media, like computer hard drives. An example of a physical safeguard would be keeping all patient files in a locked room that only specific authorized personnel may have access to. Some technical safeguards include: Implementing hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use protected health information. You must implement policies and procedures to ensure that electronic measures are put in place to confirm protected health information is not improperly altered or destroyed. In addition, you will need to implement technical security measures that guard against unauthorized access to protected health information that is being transmitted over an electronic network. An example of a technical safeguard would be data encryption and using strong passwords to protect files from unauthorized access. The Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. However, no matter the size of a covered entity, whether a small optometrist office or a large hospital with thousands of staff, the covered entity must have written privacy procedures. In general, a covered entity must secure patient records containing personally identifiable health information so that the information is not readily available to those who do not need it. The covered entity must always release only as much information as necessary to address the specific need of the entity requesting the information. This is what the regulation refers to as the "minimum amount necessary" to satisfy the inquiry.
In this lesson, we're going to cover the HIPAA Privacy Rule and the Security Rule. We'll dig into the three safeguards – administrative, physical, and technical – and include rules and examples for each.
The HIPAA Privacy Rule establishes standards for protecting patients' medical records and other protected health information (PHI). It specifies two important things:
The privacy and security rules allow healthcare providers to share PHI electronically for treatment purposes as long as they apply reasonable safeguards when doing so.
A couple of examples of this would be when a physician consults with another physician by secured email regarding a patient's condition, or when a healthcare provider exchanges PHI through electronic medical records for patient care.
Covered entities need to engage in safeguards to protect this information. These safeguards include:
Pro Tip #1: All covered entities need to perform risk analyses to determine what measures need to be taken to reduce risks and vulnerabilities to an appropriate level.
Administrative safeguards include office rules and procedures that help keep protected health data secure. To accomplish this, covered entities should designate security officials who are responsible for the following:
An example of an administrative safeguard would be allowing only office managers to send protected health information in electronic form.
Physical safeguards under the HIPAA Security Rule include the following:
An example of a physical safeguard would be keeping all patient files in a locked room that only specified and authorized personnel have access to.
Technical safeguards under the HIPAA Security Rule include the following:
A couple of examples of technical safeguards would be using data encryption and also strong passwords to better protect files from unauthorized access.
Pro Tip #2: HIPAA's Privacy Rule gives much-needed flexibility to healthcare providers and plans to create their own privacy policies that are tailored to fit their size and needs. However, no matter the size of the covered entity, whether that entity is a small optometrist office or a large hospital with thousands of employees, each covered entity is required to have a written privacy policy.
In general, all covered entities must do everything they can to secure all patient records that contain personally identifiable information so that information isn't readily available to those people who do not need it. You may recall the list of those 18 PHI identifiers that we provided in the last lesson.
Also, covered entities must always release only as much protected health information as is necessary to address the specific needs of the entity that is requesting the information, or what the HIPAA regulation refers to as the minimum amount necessary to satisfy the inquiry.
You might also recall from the last lesson, that when it comes to transmitting or sharing protected health information, less is always more.