Virtually everyone has heard of HIPAA (the Health Insurance Portability and Accountability Act of 1996). The original act required that organizations use information security mechanisms to protect healthcare information that is processed and stored. HIPAA has had a pervasive impact on health-care organizations as well as insurers, universities and self-insured employee health care programs. Failure to comply with HIPAA could result in a fine of up to $250,000.00 or 10 years in prison for misusing client information.
Fewer people, however, are aware of the implications of the Security Rule for Electronic Protected Healthcare Information that is associated with HIPAA and what is known as the HITECH Act.
All components of the Security Rule for Electronic Protected Healthcare Information, (EPHI), became effective for all covered entities or CE'son April 20, 2006. The security rule for Electronic Protected Healthcare Information was deliberately designed to reflect the requirements of the original HIPAA Privacy Rule. Entities covered by the Electronic Protected Healthcare Information Security Rule must be able to document that the required organizational processes and procedures in place are reasonably implemented for appropriate administrative, physical, and technical safeguards ("HIPAA Security Rules", 2004).
The implications of the EPHI Security Rule are staggering for those who are responsible for providing information assurance. The EPHI rule applies to all covered entities who conduct business with CE's regardless of the industry. The EPHI rule also adds to the expanding list of information assurance laws and regulations (e.g. Sarbanes-Oxley, Graham Leach Bliely and FERPA) with which affected organizations must comply.
The original portion of the security rule for HIPAA was to address a full scope of security standards for the administrative, physical and technical safeguards to shield Protected Healthcare Information (PHI) from disclosure. The adoption of the new EPHI Security Rule now requires the covered entity to:
1. Ensure the confidentiality, integrity and availability of all electronically protected health information that the covered entity creates, receives, maintains or transmits
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by law
4. Ensure workforce compliance
The follow-on to the security rule of HIPAA is the HITECH (Health Information Technology for Economic and Clinical Health) Act. It was created as part of the American Recovery and Reinvestment Act of 2009. The Act encourages providers to expand the use of EMR or Electronic Medical Records. A variety of financial incentives was included to encourage covered entities to move toward adopting electronic medical records. The assumption was that cost savings would be realized. The HITECH Act set to take effect in 2011 also provides for stricter enforcement and more severe penalties for failure to comply with PHI security rules. In addition to being responsible for the storage and transmission of PHI, covered entities would be required to report data breaches under the HITECH Act.
The information assurance challenges included in HIPAA, EPHI and the HITECH Act are extensive. You need to be technically "on-the-ball" with information security as it relates to the healthcare industry. You now stand to lose a substantial amount of money for being out of compliance, for failing to qualify for incentives and/or damages awarded by juries for loss of confidential patient information.
Fewer people, however, are aware of the implications of the Security Rule for Electronic Protected Healthcare Information that is associated with HIPAA and what is known as the HITECH Act.
All components of the Security Rule for Electronic Protected Healthcare Information, (EPHI), became effective for all covered entities or CE'son April 20, 2006. The security rule for Electronic Protected Healthcare Information was deliberately designed to reflect the requirements of the original HIPAA Privacy Rule. Entities covered by the Electronic Protected Healthcare Information Security Rule must be able to document that the required organizational processes and procedures in place are reasonably implemented for appropriate administrative, physical, and technical safeguards ("HIPAA Security Rules", 2004).
The implications of the EPHI Security Rule are staggering for those who are responsible for providing information assurance. The EPHI rule applies to all covered entities who conduct business with CE's regardless of the industry. The EPHI rule also adds to the expanding list of information assurance laws and regulations (e.g. Sarbanes-Oxley, Graham Leach Bliely and FERPA) with which affected organizations must comply.
The original portion of the security rule for HIPAA was to address a full scope of security standards for the administrative, physical and technical safeguards to shield Protected Healthcare Information (PHI) from disclosure. The adoption of the new EPHI Security Rule now requires the covered entity to:
1. Ensure the confidentiality, integrity and availability of all electronically protected health information that the covered entity creates, receives, maintains or transmits
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by law
4. Ensure workforce compliance
The follow-on to the security rule of HIPAA is the HITECH (Health Information Technology for Economic and Clinical Health) Act. It was created as part of the American Recovery and Reinvestment Act of 2009. The Act encourages providers to expand the use of EMR or Electronic Medical Records. A variety of financial incentives was included to encourage covered entities to move toward adopting electronic medical records. The assumption was that cost savings would be realized. The HITECH Act set to take effect in 2011 also provides for stricter enforcement and more severe penalties for failure to comply with PHI security rules. In addition to being responsible for the storage and transmission of PHI, covered entities would be required to report data breaches under the HITECH Act.
The information assurance challenges included in HIPAA, EPHI and the HITECH Act are extensive. You need to be technically "on-the-ball" with information security as it relates to the healthcare industry. You now stand to lose a substantial amount of money for being out of compliance, for failing to qualify for incentives and/or damages awarded by juries for loss of confidential patient information.
Learn more about computer security by downloading Dr. William Perry's FREE ebook, "How to Secure Your Computer".
Dr. Perry is the owner of Alliant Digital Services which publishes the Computer Security Glossary. Alliant Digital Services provide high quality information security guidance to individuals and organizations that must plan for the protection of mission critical information in an asymmetric threat environment while complying with industrial- strength information security standards (i.e. COBIT, ISO 27000, FISMA, HIPAA, EPHI and the new HITECH Act).
Dr. Perry is an information security specialist with significant experience as a university professor, author and service provider to various federal agencies including the Office of the Director of National Intelligence, the Department of Defense and the Federal Bureau of Investigation.
Dr. Perry is the owner of Alliant Digital Services which publishes the Computer Security Glossary. Alliant Digital Services provide high quality information security guidance to individuals and organizations that must plan for the protection of mission critical information in an asymmetric threat environment while complying with industrial- strength information security standards (i.e. COBIT, ISO 27000, FISMA, HIPAA, EPHI and the new HITECH Act).
Dr. Perry is an information security specialist with significant experience as a university professor, author and service provider to various federal agencies including the Office of the Director of National Intelligence, the Department of Defense and the Federal Bureau of Investigation.
No comments:
Post a Comment