A memo was recently sent to your office staff regarding the importance of securi

Question

A memo was recently sent to your office staff regarding the importance of securing protected health information (PHI). Because of the recent concern, your office manager has asked you to help with a special project to ensure the security of PHI. To accomplish this task, consider the following:

Identify four ways to ensure that PHI is kept secure.
Discuss physical, electronic, and positional protection strategies for the office and the value of each.
For each way listed, give an example of how not implementing these precautions could negatively effect the office.

Explanation / Answer

Security Standard/Rule (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) regulations are divided into four Standards or Rules: (1) Privacy, (2) Security, (3) Identifiers, and (4) Transactions and Code Sets. We discuss the Security Rule here.

The HIPAA Security Rule specifically focuses on the safeguarding of EPHI. Although FISMA applies to all federal agencies and all information types, only a subset of agencies is subject to the HIPAA Security Rule based on their functions and use of EPHI. All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities: • Covered Healthcare Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. • Health Plans— Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs). • Healthcare Clearinghouses— A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa. • Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act.

As required by the “Security standards: General rules”4 section of the HIPAA Security Rule, each covered entity must: • Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits; • Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI; and • Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule. 4 See 45 C.F.R. § 164.306(a). 6An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule     In complying with this section of the Security Rule, covered entities must be aware of the definitions provided for confidentiality, integrity, and availability as given by § 164.304: • Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.” • Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.” • Availability is “the property that data or information is accessible and useable upon demand by an authorized person.”

To understand the requirements of the HIPAA Security Rule, it is helpful to be familiar with the basic security terminology it uses to describe the security standards. By understanding the requirements and the terminology in the HIPAA Security Rule, it becomes easier to see which NIST publications may be appropriate reference resources and where to find more information. The Security Rule is separated into six main sections that each include several standards and implementation specifications that a covered entity must address.5 The six sections are listed below. • Security standards: General Rules - includes the general requirements all covered entities must meet; establishes flexibility of approach; identifies standards and implementation specifications (both required and addressable); outlines decisions a covered entity must make regarding addressable implementation specifications; and requires maintenance of security measures to continue reasonable and appropriate protection of electronic protected health information.• Administrative Safeguards - are defined in the Security Rule as the “administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.” • Physical Safeguards - are defined as the “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” • Technical Safeguards - are defined as the “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

When talking about risk, it is important that terminology be defined and clearly understood. This section defines important terms associated with risk assessment and management. • Risk is the potential impact that a threat can have on the confidentiality, integrity, and availability on EPHI by exploiting a vulnerability. • Threats are anything that can have a negative impact on EPHI. Threats are: o Intentional (e.g., malicious intent); or o Unintentional (e.g., misconfigured server, data entry error). • Threat sources are: o Natural (e.g., floods, earthquakes, storms, tornados); o Human (e.g., intentional such as identity thieves, hackers, spyware authors; unintentional such as data entry error, accidental deletions); or o Environmental (e.g., power surges and spikes, hazmat contamination, environmental pollution). • Vulnerabilities are a flaw or weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat.   • Impact is a negative quantitative and/or qualitative assessment of a vulnerability being exercised on the confidentiality, integrity, and availability of EPHI. It can be easy to confuse vulnerabilities and threats. An organization may be vulnerable to damage from power spikes. The threats that could exploit this vulnerability may be overloaded circuits, faulty building wiring, dirty street power, or too much load on the local grid. It is important to separate these two terms in order to assist in proper security control selection. In this example, security controls could range from installing UPS systems, additional fuse boxes, or standby generators, or rewiring the office. These E-1additional security controls may help to mitigate the vulnerability but not necessarily for each threat.

Hope this information will be sufficient. Please let me know, if you need anything further in detail.

Thanks and Regards,

Hareen Kumar

Security Standard/Rule (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) regulations are divided into four Standards or Rules: (1) Privacy, (2) Security, (3) Identifiers, and (4) Transactions and Code Sets. We discuss the Security Rule here.

The HIPAA Security Rule specifically focuses on the safeguarding of EPHI. Although FISMA applies to all federal agencies and all information types, only a subset of agencies is subject to the HIPAA Security Rule based on their functions and use of EPHI. All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities: • Covered Healthcare Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. • Health Plans— Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs). • Healthcare Clearinghouses— A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa. • Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.