Subject: Health Information Management Law & Ethics Title: Health Information Security Threats Choose one of the types of security threats to health information you have reviewed in your work in

Section 8-Lesson Content & Rubric

HIPAA Security Rule

HIPAA Security Rule

In order to participate in functions of healthcare organizations relating to the Health Insurance Portability and Accountability Act (HIPAA), HIM professionals must have an understanding of the HIPAA Security Rule, in addition to their usually more in depth involvement with the Privacy Rule of HIPAA. The final Security Rule was published in the Federal Register on February 20, 2003. Covered entities (CEs) were expected to be in compliance with the rule by April 20 2005, while small health plans' compliance date was April 20, 2006. A CE is any entity (organization, facility, agency, etc.) that transmits or stores electronic protected health information (ePHI). The standards of the HIPAA Security Rule covers: administrative, physical, and technical safeguards. Following from these standards one needs to understand how organizations can meet the standard's requirements and expectations related to policies, procedures, and documentation. Components of an organizational plan for compliance with the Security Rule includes security mechanisms that can be employed to facilitate compliance with the rule such as, data and system security mechanisms as well as means to assess internal and external security threats, protect against those threats and disaster planning.

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of computers to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. For example, in order to provide more efficient access to critical health information, some covered entities are using web-based applications and other "portals" that give physicians, nurses, medical staff as well as administrative employees more access to electronic health information. Providers are also using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies creates an increase in potential security risks.

As the country moves towards its goal of a National Health Information Infrastructure (NHII), and greater use of electronic health records, protecting the confidentiality, integrity, and availability of EPHI becomes even more critical. The security standards in HIPAA were developed for two primary purposes. First, and foremost, the implementation of appropriate security safeguards protects certain electronic health care information that may be at risk. Second, protecting an individual's health information, while permitting the appropriate access and use of that information, ultimately promotes the use of electronic health information in the industry - an important goal of HIPAA.

Additional Resources

"Managing the Integrity of Patient Identity in Health Information Exchange"

Personal Health Record (PHR) Model Privacy Notice

U.S. Department of Health & Human Services on case examples and resolutions of issues of compliance with the HIPAA Privacy and Security Rules

The following PowerPoint presentations will guide your note taking as you explore the key concepts related to the HIPAA Security Rule.

Fundamentals of Laws for HI and IM, Chapter 10

Module 08

Scoring Rubric: Module 08 Written Assignment- Health Information Security Threats