The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.
PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE
The HHS requires physical and technical safeguards for organizations hosting sensitive patient data.
These physical safeguards include…
- Limited facility access and control with authorized access in place
- Policies about use and access to workstations and electronic media
- Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI
Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI.
Access control includes…
- Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
- Audit reports or tracking logs that record activity on hardware and software.