The Health Insurance Portability and Accountability Act (HIPAA) provides a set of standards to protect the sensitive data of patients. Companies dealing with Protected Health Information (PHI) must have administrative, physical, and technical security measures to be HIPAA compliant.
Table of contents
- What is PHI?
- Covered Entities
- General Rules
- Physical Safeguards
- Administrative Safeguards
- Technical Safeguards
What is PHI?
PHI stands for Public Health Information.
HIPAA Privacy Rule provides federal protection for PHI held by covered entities. Privacy Rule also permits disclosure of PHI needed for patient care and other important purposes.
Covered entities are anyone providing treatment, accepting payments or operating in healthcare, or business associates. These include anyone who has patient information and provides support in treatment, payments, or operations. All covered entities must be HIPAA compliant. Subcontractors and other business associates must also be HIPAA compliant.
To determine if you are covered, follow this link.
General Security Rules require covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI.
- Ensuring confidentiality, integrity, and availability of all PHI covered entities create, receive, maintain or transmit.
- Identify and protect against reasonably anticipated threats to the security, or integrity of the information.
- Protect against reasonably anticipated, impermissible uses, or disclosures.
- Ensure compliance by covered entities’ workforce.
- Facility Access and Control
A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security
A covered entity must implement policies and procedures to specify proper use of, and access to, workstations and electronic media. A covered entity must also have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of PHI.
- Security Management Process
A covered entity must identify and analyze potential risks to PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel
A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Information Access Management
A covered entity must implement policies and procedures for authorizing access to PHI only when such access is appropriate based on the user or recipient’s role.
- Workforce training and Management
A covered entity must provide for appropriate authorization and supervision of workforce members who work with PHI.
A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
- Access Control
A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Audit Controls
A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls
A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission Controls
A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.