Upcoming Webinars
Site Updates
Disclaimer
The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.
Security Rule Basics |
Who must adhere to the Security Rule?
The Security Rule applies to health plans, health care clearinghouses, and to any health care provider (covered entities) who transmits health information in electronic form in connection with a transaction for which HHS has adopted standards under HIPAA.
Business associates must also comply with the Security Rule.
What are the basic obligations under the Security Rule?
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
Risk Analysis and Management
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
A risk analysis process includes, but is not limited to, the following activities:
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Organizational Requirements
Policies and Procedures and Documentation Requirements
Required and Addressable Implementation Specifications
The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements. Each one of these sections has multiple “standards” that must be followed by the covered entity. Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”.
A “required” implementation specification must be implemented by the covered entity.
An “addressable” implementation specification is more flexible, but it is not optional. A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:
Covered entities must document the assessment and decision made regarding each specification.
If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:
References
45 CFR §164.306
U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities
NIST SP 800-66
Therapy Comply LLC Copyright 2023
Therapy Comply does not claim copyright over US Federal and State materials
CPT codes are copyright 1995-2023 American Medical Association. All rights reserved.
About Us Therapy Comply is a healthcare compliance firm that seeks to bring high quality web-based compliance guidance and one-on-one consulting services to small and medium size physical, occupational, and speech therapy practices. | Join Us Join today as either a monthly or a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars. Members also have access to compliance and billing support. |