HIPAA required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of Protected Health Information (PHI). To fulfill this requirement HHS published what are known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, established national standards for the protection of certain health information. The Security Standards for the Protection of electronic Protected Health Information (ePHI) for the Security Rule, established a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that Covered Entities and their Business Associates must put in place to secure individuals’ ePHI. Within HHS, the Office for Civil Rights (OCR) has the responsibility to enforce the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
To comply with the requirements of the Security Rule all categories under Physical, Technical and Administrative Safeguards need to be addressed. If a safeguard is considered “required” under the Rule this must be in place for the organization just as the standard/safeguard states. When the safeguard is an “addressable” category, the standard still needs to be addressed; however, an organization has some flexibility with the steps taken to comply.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.