May 16, 2013 Leave a comment
If you have not already visited the HHS website, you may want to start here, which begins with an overview of understanding health information privacy. This is a great place to start, particularly with the summaries of the HIPAA Privacy Rule and HIPAA Security Rule. For a copy of the full combined text of the HIPAA Administrative Simplification Regulations, including the Privacy and Security Rules, that can be found here.
One of the most difficult components of HIPAA is bringing your healthcare organization up to standard with the Security Rule, especially if you have recently implemented a lot of new technology, such as an EHR, new PC’s/Tablets/Other devices, Lab Systems (LIMS), Interfaces, back-up and storage, etc… All of these types of technology serve as mediums for transportation of electronic patient health information, or as HIPAA refers to it, Electronic Protected Health Information (EPHI). The Security Rule requires that you take into account every device, server, storage media, interface or connection that uses, creates or transmits EPHI, and document a formal policy around how that data will remain protected and secure, even in the event of disaster or outage. The Security Rule is broken into 3 main parts: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Each part focuses on a different area of protecting and securing EPHI, based on different rule requirements. Luckily, there are also some great resources that allow you to gain a very good understanding of the Security Rule requirements written by HHS. They are called the HIPAA Security Series, which are 7 documents that break the rule a part in an easy to read and follow manner. Under the section title “Security Rule Educational Paper Series” you will see the links to the 7 security series documents. It is highly recommended that you read each of these documents closely. These documents will play a very big role in walking you through the creation and implementation of security standards. Security Series 6 gives you a detailed understanding of the risk analysis and risk management process.
If you scroll a little bit further down on that same page, under the title of “(NIST) Special Publications” you will find 8 more documents that were developed by the National Institute of Standards and Technology. Each of these documents is specific to security and compliance of different technologies used. Just read the titles of each to see which may apply to your organization, based upon your technical environment. These documents are especially geared towards IT professionals and technical managers. If you do have an IT person/department, this is the area they may want to spend some time getting familiar with.
As for other resources, there are websites that provide HIPAA training materials and courses, such as HIPAA Survival Guide, or the AMA does have a section on their website dedicated to HIPAA, along with many materials for sale in their AMA Store. CMS also has information and materials on their website as well. There are many different resources out there regarding HIPAA and it can get overwhelming just trying to get started, but the resources in this article should provide a good foundation and starting-place for you moving forward.