HIPAA Security Standards FAQ's

What does HIPAA mean by security standards?

A covered entity must comply with the standards with respect to all electronic protected health information.

What are the objectives of the HIPAA Rule?

The objectives of the HIPAA Rule are to:

• Ensure confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such info.
• Protect against any reasonably anticipated uses or disclosures of such info.
• Ensure compliance by its workforce.

Why do I need to be HIPAA Security compliant?

The HIPAA law requires all health covered entities or organizations and business associates to safeguard the privacy of patient health information. Also, the HIPAA law requires covered entities and business associates to implement required security measures to protect patient health information.

What is the difference between the HIPAA Privacy and the HIPAA Security Rules?

The Privacy Rule sets the standards for how protected patient health information should be controlled. The Security Rule defines the standards which require CE to implement basic safeguards to protect ePHI. Privacy depends upon security measures: no security, no privacy.

What does HIPAA mean by electronic media?

Electronic storage media including memory in computers, (hard drives) and any removable/transportable digital memory medium such as magnetic tapes or disk, optical disk, memory card, or transmission media used to exchange information (internet, leased lines, dial-up, intranets, private networks).

How are HIPAA Privacy and Security rules linked?

The Security and Privacy Rule are distinct but inextricably link, privacy of information depends in large part upon existence of security measures. The HIPAA Security Rule defines the standards, which require CE to implement basic safeguards to protect ePHI. The Privacy Rule sets the standards for how protected ePHI should be controlled.

What does electronic protected health information (ePHI) mean?

If the patient health information is computer based meaning stored or maintained or processed, it is electronic patient health information and protected individually identifiable health information. This includes enrollment, eligibility individually health information that is transmitted by electronic media, maintained in electronic media. It includes reports generated from computers that contain ePHI, and ePHI disclosed through IVR (Interactive voice response) Systems. ePHI transmitted through FAX and telephone is not covered by the HIPAA Security Rule, although that information is covered by the HIPAA Privacy Rule.

What is the definition of common control?

Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity. This means that organizations or covered entities that are the custodians of patient health information must secure it and take appropriate safeguards to ensure patient health information shared or used by outside vendors, they contracted with, is also protected.

What does implementation specifications mean?

There are two types of specification, those that are required and those addressable. If it is a required implementation specification, it must be implemented. If it is addressable, a covered entity must assess whether each is a reasonable and appropriate safeguard, AND, implement if reasonable and appropriate, OR document why it would not be reasonable and appropriate, AND implement an equivalent alternative measure if reasonable and appropriate.