Share
The HIPAA Security Rule comprises three pillars of safeguards that encompass the necessary controls and procedures prescribed in HIPAA.
These pillars are:
Technical Safeguards are the technical security configurations, controls, and infrastructure in place that identify, protect, detect, respond, and recover from incidents that could affect the confidentiality, integrity, or availability of ePHI (electronic PHI). An example of a Technical Safeguard is end-to-end encryption of ePHI in transit.
Physical Safeguards are the physical security controls, infrastructure, and measures in place to protect and detect unauthorized physical access of PHI or ePHI. One example of a Physical Safeguard is Role-Based Access Control or “RBAC”, which you must enforce in the data centers that store ePHI. You must implement RBAC for systems and employees accessing ePHI. The role must include ePHI access as a requirement for the role.
Administrative Safeguards are the administrative security policies, procedures, and workflows that are compulsory for the assurance of confidentiality, integrity, and availability of ePHI. An example of an administrative safeguard is a Business Continuity and Disaster Recovery Plan.
The HIPAA Privacy Rule lays out the rules related to the use, disclosure, and procedural or operational
safeguards of PHI. The Privacy Rule also defines the patient’s or PHI subject’s rights under HIPAA.
Some of the requirements laid out in the Privacy Rule include the following:
HIPAA compliance primarily applies to organizations that fall under the term “covered entity.” Organizations that fall under the category of a covered entity by HIPAA standards include the healthcare providers, health plans, and healthcare clearinghouses.
So how does this apply to your business then, if it isn’t actually in the healthcare industry?
HIPAA also requires “business associates” to meet the requirements of the Security Rule and Privacy Rule of HIPAA. A business associate may also have additional contractual obligations relating to HIPAA Compliance as laid out in a Business Associate Agreement or “BAA.” Healthcare Providers consist of doctors, clinics, hospitals, continuing care facilities (nursing homes), and any specialists practicing medicine that an insurer would cover the cost.
Health Plans consist of health insurance companies, HMOs, private-sector group health plans, and public sector group health plans.
Healthcare Clearinghouses are service providers that process insurance claims and check for errors, acting as an intermediary between an insurer and a provider. These entities handle ePHI in many forms; therefore, they belong to the category of covered entities. Business Associates are a third-party to a covered entity that provides some service, but is not a part of the core workforce of the covered entity. This can include vendors, software providers, or other services that a covered entity might need to obtain.
2603 Camino Ramon, Bishop Ranch 3, Suite 200, San Ramon, CA 94583, USA
9850 King George Blvd, 2nd-5th Floor, Surrey, British Columbia, V3T 4Y3, Canada
833A/ 3, Level 28, The Gardens South Tower, Mid Valley City, Lingkaran Syed Putra, 59200, Kuala Lumpur, Malaysia
Block A2, First Floor, Span Ventures SEZ, Rathinam Tech Zone, Pollachi Main Road, Eachanari, Coimbatore – 641021
WorkEZ Urban Square, Kandanchavadi, OMR, Kottivakkam, Rajiv Gandhi Salai, Chennai – 600041