Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
The HIPAA Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI).
It is important for all organizations who handle PHI to prepare by performing a Risk Analysis to determine the risks to Protected Health Information (PHI) in their organization. In many situations an organization may start by performing a HIPAA Gap Analysis. By doing so they can prepare to address any vulnerabilities. The Security Rule provides guidance in this matter and should be addressed by all interested Privacy Officers.
To comply with the HIPAA Security Rule, all covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures
- Certify compliance by their workforce
The Privacy Rule’s safeguards standard assures the privacy of PHI by requiring covered entities to reasonably safeguard PHI from any intentional or unintentional use or disclosure in violation of the Privacy Rule. The safeguards requirement establishes protections for PHI in all forms: paper, electronic, and oral. Safeguards include such actions and practices as securing locations and equipment; implementing technical solutions to mitigate risks; and workforce training.
Learn more about HIPAA