The general requirements of the HIPAA Security Rule establish that Covered Entities and Business Associates must do the following:
- Ensure the Confidentiality, Integrity, and Availability (CIA) of all electronic Protected Health Information (ePHI) the Covered Entity or Business Associate creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
- Ensure compliance by the workforce.
In order to comply with the requirements, standards and implementation specifications, your organization must address all of the security measures in the HIPAA Security Rule for Administrative, Physical, and Technical Safeguards. Why, because you are required to? Yes, but equally important, reviewing and addressing these safeguards/standards will protect the environment from threats and vulnerabilities.
Organizations must focus on their risk management and operational resiliency to reduce risk, whether this is updating and testing the Disaster Recovery/Business Continuity Plan; an active audit review of users with access to operating systems and applications that contain ePHI, including their roles and privileges; to physical securities that encompass workstation security measures, cabinets and rooms containing PHI, or locked server rooms with limited staff access.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.