The second of the 3 HIPAA rules talk about the protection of health data in electronic media and establishes standards for maintaining and protecting health information that is stored or transmitted electronically.
The Security Rule requires health plans, clinics, offices, etc take reasonable and appropriate administrative, technical, and physical measures for the security of health data. Within these measures, it is necessary to consider and ensure:
- Confidentiality, integrity, and viability of all personal health information and medical records that are created, received, maintained, or transmitted;
- Identify and protect against security threats (within those that can be predicted) or threats to the integrity of information;
- Ensure that your team works within the established security policies.
The rule considers confidentiality when personal health information and medical records are not available or disclosed to unauthorized persons. The concept of integrity means that medical records and health information must not be altered or destroyed without prior authorization. Availability, on the other hand, says that this information must be available at all times as required by authorized persons.
And the Security Rule must support and take into account the guidelines of the Privacy Rules. You can see this rule in more detail on our blog "HIPAA Privacy Rules".
For the administrative side, the rule requires that there is a risk analysis as a routine of all security processes. This risk analysis may include assessing the likelihood of a risk occurring, implementing measures that recognize the risks, documenting the security measures adopted, and, when necessary, also documenting the reason why these measures are being taken. And, of course, to continuously and rationally maintain security protections.
Clinics and offices can designate a trusted person to handle security issues, develop and implement them, controlling access to information as needed using the "minimum necessary" concept presented in the Privacy Rule.
Clinics, offices, hospitals, health plans, and others that deal with information about people's health, medical records, and data protected by law should limit access to that information by third parties while ensuring that employees who need access can work with the data safely.
Physical security also includes procedures that specify the appropriate use of workbenches and electronic media such as computers at the reception, tablets, etc. In addition to having hardware, software, or mechanisms that identify who is accessing the equipment and health information, or even transmitting it.
Within physical security, protection against natural phenomena and accidents can also be included, for example, in the event of a fire, this personal health information cannot be lost, therefore saving backups should be part of the routine team.
The software and programs used must have some level of protection, such as the encryption of data entered or transmitted by the system. Also, it must have ways of password-controlling users who access health information or not or other forms of restrictions.
In general, the rule does not limit the use of a specific technology as it understands that this field is in constant motion and change and that the technology advances very quickly and varies widely. Thus, health plans, clinics, offices, and even hospitals are free to choose the technology that best fits their daily lives as long as the minimum security items can be met.
In these matters, Ninsaúde Apolo completely complies with HIPAA rules, you can check in more detail in this article "HIPAA and Ninsaúde Apolo".
Source - HHS - Security Rule