Privacy refers to the right of the individual to keep their protected health
information private and to control who may access it.2 Confidentiality refers
to the responsibility of the healthcare workforce to maintain the individual
patient’s private information so it is NOT disclosed inappropriately.
Security refers to all of the policies, procedures, tools, and techniques used
to assure privacy and confidentiality are adequately addressed in a healthcare
system. HIPAA requires all covered entities that transmit or maintain electronic
health information perform, and document, a risk assessment for security and
develop a security plan to address major areas of concern. Security rules are
divided into four categories:
-
The conduct of a security audit and analysis of potential risks
and vulnerabilities to potential breaches of the security of protected health
information. This is the basis for developing the basic security program
for institutions and practices.
-
Implementation of security measures sufficient to reduce risks to a
reasonable and appropriate level. These would be contained within
the practice policies and procedures.
-
Establishment of sanctions for workforce members who fail to comply
with the established security policies.
-
Establishment of policies to regularly review system activity in
order to detect potential breaches.
-
Identification of a specific individual assigned as security officer
to oversee security measures are used and that personnel protect data in
their routine activities. This individual also is responsible for
tracking security incidents and providing security training for employees.
-
Creation of access controls based on a formal access authorization
process that designates how access is established. The process has
to also address how access can be modified and used with appropriate authentication
methods and with specified use of audits.
-
Formulation of contingency plans that include applications and their
data criticality, a data backup and data recovery plan, as well as the
use of chain of trust agreements for the electronic exchange of data.
-
The formal protocols for processing patient records.
-
Identification of authorization control mechanisms to monitor use
and disclosure of health information, and mechanisms for transmission of
records. Patient signed authorizations for disclosure procedures are included
here.
-
Management of the security configuration to include: documentation,
hardware/software installation, maintenance review, testing for security
features (including Virus Testing), and a hardware/software inventory.
-
The plan for personnel security to assure supervision, maintenance
of access authorization, personnel clearance, and training.
-
Establishment of security training requirements.
The detail in several of these aforementioned evaluation items is further
defined in the discussion of physical and technical safeguards.
These procedures provide for policies and procedures to guard data integrity,
confidentiality, and availability. They are the formal documentation of security
for the organization’s health information. The HIPAA rule calls for a
certification from each healthcare organization or dental practice that states
appropriate security has been implemented. A security audit can be performed
internally. The administrative policies and procedures provide formal documentation
of the following:
