Virtually everyone has heard of HIPAA (the Health Insurance Portability and Accountability Act of 1996). The original act required that organizations use information security mechanisms to protect healthcare information that is processed and stored. HIPAA has had a pervasive impact on health-care organizations as well as insurers, universities and self-insured employee health care programs. Failure to comply with HIPAA could result in a fine of up to $250,000.00 or 10 years in prison for misusing client information.
Fewer people, however, are aware of the implications of the Security Rule for Electronic Protected Healthcare Information that is associated with HIPAA and what is known as the HITECH Act.
All components of the Security Rule for Electronic Protected Healthcare Information, (EPHI), became effective for all covered entities or CE'son April 20, 2006. The security rule for Electronic Protected Healthcare Information was deliberately designed to reflect the requirements of the original HIPAA Privacy Rule. Entities covered by the Electronic Protected Healthcare Information Security Rule must be able to document that the required organizational processes and procedures in place are reasonably implemented for appropriate administrative, physical, and technical safeguards ("HIPAA Security Rules", 2004).
The implications of the EPHI Security Rule are staggering for those who are responsible for providing information assurance. The EPHI rule applies to all covered entities who conduct business with CE's regardless of the industry. The EPHI rule also adds to the expanding list of information assurance laws and regulations (e.g. Sarbanes-Oxley, Graham Leach Bliely and FERPA) with which affected organizations must comply.
The original portion of the security rule for HIPAA was to address a full scope of security standards for the administrative, physical and technical safeguards to shield Protected Healthcare Information (PHI) from disclosure. The adoption of the new EPHI Security Rule now requires the covered entity to:
1. Ensure the confidentiality, integrity and availability of all electronically protected health information that the covered entity creates, receives, maintains or transmits
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by law
No comments:
Post a Comment