The Health Insurance Portability and Accountability Act (HIPAA) provides a set of standards to protect the sensitive data of patients. Companies dealing with Protected Health Information (PHI) must have administrative, physical, and technical security measures to be HIPAA compliant.

Table of contents

What is PHI?

PHI stands for Public Health Information.

HIPAA Privacy Rule provides federal protection for PHI held by covered entities. Privacy Rule also permits disclosure of PHI needed for patient care and other important purposes.

Covered Entities

Covered entities are anyone providing treatment, accepting payments or operating in healthcare, or business associates. These include anyone who has patient information and provides support in treatment, payments, or operations. All covered entities must be HIPAA compliant. Subcontractors and other business associates must also be HIPAA compliant.

To determine if you are covered, follow this link.

General Rules

General Security Rules require covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI.

  • Ensuring confidentiality, integrity, and availability of all PHI covered entities create, receive, maintain or transmit.
  • Identify and protect against reasonably anticipated threats to the security, or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses, or disclosures.
  • Ensure compliance by covered entities’ workforce.

Physical Safeguards

  • Facility Access and Control
    A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
  • Workstation and Device Security
    A covered entity must implement policies and procedures to specify proper use of, and access to, workstations and electronic media. A covered entity must also have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of PHI.

Administrative Safeguards

  • Security Management Process
    A covered entity must identify and analyze potential risks to PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Security Personnel
    A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
  • Information Access Management
    A covered entity must implement policies and procedures for authorizing access to PHI only when such access is appropriate based on the user or recipient’s role.
  • Workforce training and Management
    A covered entity must provide for appropriate authorization and supervision of workforce members who work with PHI.
  • Evaluation
    A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

Technical Safeguards

  • Access Control
    A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls
    A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls
    A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Transmission Controls
    A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Data Privacy regulations and compliance are becoming a driving force behind the need for Encryption, Tokenization, and Masking. In 2018, Organizations are dealing with threats from cyber-attacks at an all-time high yet now; organizations must adhere to the latest laws and regulations set nationally and globally. Further regulations and compliance are on their way, but current guidelines set in place already are affecting all industries that will face major fines if not met. Many of these guidelines are regarding private data protection at rest, data in use, and data in motion. As of 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have passed Data Privacy laws. Organizations operating within the U.S must now also comply with European regulations. The EU has implemented the most recent General Data Protection Regulation enforced in May of 2018. By the usage of encryption procedures and technologies, organizations will be able to adhere to the many complex data privacy and security regulations while bolstering their overall security from cyber attacks.

The table below exemplifies how these technologies can help you meet the requirements:

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk