Note: Your progress in watching these videos WILL NOT be tracked. These training videos are the same videos you will experience when you take the full ProHIPAA program. You may begin the training for free at any time to start officially tracking your progress toward your certificate of completion.
In this lesson, we're going to cover the HIPAA Privacy Rule and the Security Rule. We'll dig into the three safeguards – administrative, physical, and technical – and include rules and examples for each.
The HIPAA Privacy Rule establishes standards for protecting patients' medical records and other protected health information (PHI). It specifies two important things:
The privacy and security rules allow healthcare providers to share PHI electronically for treatment purposes as long as they apply reasonable safeguards when doing so.
A couple of examples of this would be when a physician consults with another physician by secured email regarding a patient's condition, or when a healthcare provider exchanges PHI through electronic medical records for patient care.
Covered entities need to engage in safeguards to protect this information. These safeguards include:
Pro Tip #1: All covered entities need to perform risk analyses to determine what measures need to be taken to reduce risks and vulnerabilities to an appropriate level.
Administrative safeguards include office rules and procedures that help keep protected health data secure. To accomplish this, covered entities should designate security officials who are responsible for the following:
An example of an administrative safeguard would be allowing only office managers to send protected health information in electronic form.
Physical safeguards under the HIPAA Security Rule include the following:
An example of a physical safeguard would be keeping all patient files in a locked room that only specified and authorized personnel have access to.
Technical safeguards under the HIPAA Security Rule include the following:
A couple of examples of technical safeguards would be using data encryption and also strong passwords to better protect files from unauthorized access.
Pro Tip #2: HIPAA's Privacy Rule gives much-needed flexibility to healthcare providers and plans to create their own privacy policies that are tailored to fit their size and needs. However, no matter the size of the covered entity, whether that entity is a small optometrist office or a large hospital with thousands of employees, each covered entity is required to have a written privacy policy.
In general, all covered entities must do everything they can to secure all patient records that contain personally identifiable information so that information isn't readily available to those people who do not need it. You may recall the list of those 18 PHI identifiers that we provided in the last lesson.
Also, covered entities must always release only as much protected health information as is necessary to address the specific needs of the entity that is requesting the information, or what the HIPAA regulation refers to as the minimum amount necessary to satisfy the inquiry.
You might also recall from the last lesson, that when it comes to transmitting or sharing protected health information, less is always more.