This is a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information. Because it is an overview of the Security Rule, it does not address every detail of each provision. Nội dung chính Show Introduction
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks. A major goal of the Security Rule is to protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity's particular size, organizational structure, and risks to consumers' e-PHI. This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. To make it easier to review the complete requirements of the Security Rule, provisions of the Rule referenced in this summary are cited in the end notes. Visit our Security Rule section to view the entire Rule, and for additional helpful information about how the Rule applies. In the event of a conflict between this summary and the Rule, the Rule governs. Statutory and Regulatory Background
Who is Covered by the Security Rule
Business Associates
What Information is Protected
General Rules
Risk Analysis and Management
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Required and Addressable Implementation Specifications
Organizational Requirements
Policies and Procedures and Documentation Requirements
State Law
Enforcement and Penalties for Noncompliance
Compliance Dates
End Notes[1] Pub. L. 104-191. [2] 68 FR 8334. [3] 45 C.F.R. § 160.103. [4] 45 C.F.R. § 164.306(a). [5] 45 C.F.R. § 164.304. [6] 45 C.F.R. § 164.306(b)(2). [7] 45 C.F.R. § 164.306(e). [8] 45 C.F.R. § 164.306(b)(iv). [9] 45 C.F.R. § 164.308(a)(1)(ii)(B). [10] 45 C.F.R. § 164.306(d)(3)(ii)(B)(1); 45 C.F.R. § 164.316(b)(1). [11] 45 C.F.R. § 164.306(e). [12] 45 C.F.R. § 164.308(a)(1)(ii)(D). [13] 45 C.F.R. § 164.306(e); 45 C.F.R. § 164.308(a)(8). [14] 45 C.F.R. § 164.306(b)(2)(iv); 45 C.F.R. § 164.306(e). [15] 45 C.F.R. § 164.308(a)(2). [16] 45 C.F.R. § 164.308(a)(4)(i). [17] 45 C.F.R. § 164.308(a)(3) & (4). [18] 45 C.F.R. § 164.308(a)(5)(i). [19] 45 C.F.R. § 164..308(a)(1)(ii)(C). [20] 45 C.F.R. § 164.308(a)(8). [21] 45 C.F.R. § 164.310(a). [22] 45 C.F.R. §§ 164.310(b) & (c). [23] 45 C.F.R. § 164.310(d). [24] 45 C.F.R. § 164.312(a). [25] 45 C.F.R. § 164.312(b). [26] 45 C.F.R. § 164.312(c). [27] 45 C.F.R. § 164.312(e). [28] 45 C.F.R. § 164.306(d). [29] 45 C.F.R. § 164.314(a)(1). [30] 45 C.F.R. § 164.316. [31] 45 C.F.R. § 164.316(b)(2)(iii). [32] 45 C.F.R. § 160.203. [33] 45 C.F.R. § 160.202. Content created by Office for Civil Rights (OCR) Which of the following is a business associate contract not required?All of the following are true about Business Associate Contracts EXCEPT? Business Associate are NOT required to obtain "satisfactory assurances" (i.e., that their PHI will be protected as required by HIPAA law) form their subcontractors. What is the purpose of the business associate agreement quizlet?Agrees to make uses and disclosures and requests for protected health information: Consistent with covered entity's minimum necessary policies and procedures. Proper management and administration of the business associate or to carry out the legal responsibilities of the business associate. Which of the following is an example of a business associate?Examples of Business Associates are lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, web hosts, etc. What is a business associate quizlet?A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not a business associate. What is the purpose of the business associate agreement quizlet?Agrees to make uses and disclosures and requests for protected health information: Consistent with covered entity's minimum necessary policies and procedures. Proper management and administration of the business associate or to carry out the legal responsibilities of the business associate.
Which one of the following is a business associate?Examples of Business Associates are lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, web hosts, etc.
What is a business associate quizlet?A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not a business associate.
How many days does a covered entity have to respond to an individual's request for access to his or her PHI when the PH is stored off site?How timely must a covered entity be in responding to individuals' requests for access to their PHI? Under the HIPAA Privacy Rule, a covered entity must act on an individual's request for access no later than 30 calendar days after receipt of the request.
|