Security is the other big ticket item on your HIPAA bill of goods. This rule works in conjunction with privacy, in that it covers similar information that exists in an electronic environment. Here’s the breakdown: Privacy covers PHI in all its forms; whereas security covers information that exists only in e-form. Technically, the information covered by the security rule is known as Electronic Protected Health Information (EPHI).
Think of the security rule as a tiered set of requirements. The first tier includes three security categories within which your practice is required to comply: administrative, physical, and technical. Within those categories are specific security standards, some required and some suggested.
Administrative safeguards cover how you create, manage, and disseminate information about your privacy procedures to employees, patients, and any governing agencies you answer to. To meet these standards, you have to create official written documents detailing your procedures, designate a privacy officer to manage privacy issues, and prove that your practice has management oversight for your policy structure, to name just a few.
Your policies must address certain key issues, such as
Who within your practice will have access to EPHI
How and why access is granted, modified, or terminated
What sort of HIPAA initial and ongoing training is provided for employees
How your practice will prove compliance on the part of third-party ...