Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:The Culture of Health Care
Unit:Privacy, Confidentiality, and Security
Lecture:HIPAA Security Rule
Slide content:General Provisions Covered entities, business associates, and their subcontractors must Ensure confidentiality, integrity, and availability of electronic PHI that they create, receive, transmit, and maintain Protect against reasonably anticipated threats and hazards to such information Protect against reasonably anticipated uses or disclosures not permitted or required by Privacy Rule Ensure compliance by workforce HHS (2010) provides guidance on conducting risk assessments and helps determine whether an issue thats addressable should be addressed by the provider 5
Slide notes:The general provisions of the Security Rule are that covered entities, their business associates, and subcontractors must ensure confidentiality, integrity, and availability of electronic protected health information (PHI) that is created, received, transmitted, and maintained by the entity. Entities must protect against reasonably anticipated threats and hazards to such information by having a secure data center and using encryption where appropriate. They also must protect against reasonably anticipated uses or disclosures that are not permitted or that are required by the Privacy Rule. Entities must also ensure compliance by their workforce in implementing the security and privacy rules. HHS provides guidance on conducting risk assessments. One important feature of this reference is that it helps determine whether something that is addressable should be addressed by the provider. If the provider chooses not to address it, the decision should be documented in the risk analysis. There are many other publicly available risk assessment resources as well. 5