The Security Rule
The Privacy Rule and the Security Rule are very closely related. The Privacy Rule provides for the privacy of protected health information, and focuses on empowering the individual to control access to his or her medical records. An important component of ensuring privacy, however, is ensuring data security.
The Security Rule goes into effect in April 2005, and is likely to have a major impact on IT solution providers.
The Security Rule is basically the mechanism to ensure that IT providers are implementing measures to ensure privacy of electronic protected healthcare information (ePHI). The rule requires that IT providers implement the following:
Policies and procedures designed to protect the privacy of ePHI, to stop unauthorized access to ePHI, and to ensure data integrity during transactions
Physical safeguards to control which individuals and entities have access to confidential ePHI
Technical security measures to control which individuals and entities have access to confidential ePHI
The policies and procedures developed and implemented by any IT provider should address such critical areas as which specific roles in the company will have access to data, the procedure for reporting incidents with data, and the policies and procedures for verifying other vendors' compliance with HIPAA regulations. Under the required Business Associate Contract, IT providers may be required to disclose their policies and submit them to HHS for compliance approval.
Physical safeguards are also required for Business Associates. The IT provider is required to take reasonable steps to physically secure servers with ePHI, protecting them against theft or physical intruders. One oft-neglected area that could prove critical is the security of backup tapes, as anything containing ePHI needs to be physically secure.
The technical security requirements are more challenging, but it's a challenge that most IT providers are probably already facing. To provide technical security, IT providers need to implement technical safeguards for ePHIfirewalls, strong password policies and protections, and so on.
While no specific technologies are required for the Security Rule, IT providers are subject to possible termination of contract, or even to civil or criminal action if data security is not taken very seriously. Additionally, IT providers who serve as Business Associates under HIPAA are responsible for the actions of their subcontractors and vendors. Practically speaking, this means that you should take a very, very close look at your business partners to make sure that they, too, are in compliance with HIPAA and the Privacy and Security Rules. If your subcontractors or vendors are found to be in violation, your organization is in jeopardy of losing your contract as well.