Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:The Culture of Health Care
Unit:Privacy, Confidentiality, and Security
Lecture:HIPAA Security Rule
Slide content:HIPAA Security Rule Readable overview in Security 101 for Covered Entities (CMS, 2007) Aligned with terminology of Privacy Rule Aims to minimize specificity to allow scalability, flexibility, and changes in technology For covered entities, business associates, and subcontractors, rules are either Required: Must be implemented Addressable: If reasonable and appropriate to implement As with HIPAA Privacy Rule, modifications under HITECH and other legislative actions State laws are instrumental 4
Slide notes:This lecture discusses the Health Insurance Portability and Accountability Act (HIPAA) [ hip -uh] Security Rule. Theres a very readable overview of the HIPAA Security Rule on the Centers for Medicare and Medicaid Services, or CMS, website called Security 101 for Covered Entities. A number of other documents that go into detail on the specifics of the Security Rule are publicly available through such sources as the Department of Health and Human Services (HHS) website. The Health Information and Management Systems Society, HIMSS, offers the Privacy and Security Toolkit, which contains analysis of the HIPAA law as well as tools and resources for understanding and implementing various elements of the law. This toolkit, like many other industry resources, provides HIPAA information on specific aspects of the rule, such as with mobile devices, health information exchange organizations, public health, and cloud computing. Many industry resources focus on a specific health care professional, such as physicians, nurses, business associates, and human resources. The terminology of the HIPAA Security Rule is aligned with the Privacy Rule, so that presumably we could identify areas of the Security Rule that map back to the Privacy Rule. The HIPAA Security Rule aims to minimize specificity and to be technology-neutral to allow covered entities scalability, flexibility, and adaptability as technologies change. As such, there are only thirteen required implementation specifics. The remainder of the rules are addressable ; that is, they concern approaches that may or may not be reasonable for a particular covered entity. As with the HIPAA Privacy Rule, the Security Rule has been enhanced and modified under the Health Information Technology for Economic and Clinical Health Act (HITECH [high- tech ]) and other legislative updates. Also, various state security laws must be addressed in conjunction with HIPAA requirements. 4