Compliance with HIPAA requires organizations to implement safeguards and security standards when electronically storing and transmitting personal health information. HIPAA mandates standardized formats for all patient health, administrative and financial data. HIPAA also requires a unique identifier (essentially an ID number) for each healthcare entity, including individuals, employers, health plans and healthcare providers.
As the legislation was drafted, two additional rules were added to protect the privacy and safety of individuals’ personal health information (PHI). These are called the Privacy Rule and the Security Rule. The Privacy Rule is the first comprehensive federal protection for the privacy of PHI, according to the National Institutes of Health (NIH). More information on the Privacy Rule can be found at PrivacyRuleandResearch.NIH.gov. The Centers for Disease Control and Prevention also offers guidance on the Privacy Rule and public health.The Security Rule describes best practices organizations must adopt to protect the confidentiality, integrity and availability of electronic protected health information (ePHI). The Security Rule contains three types of standards: administrative, physical and technical. These standards are wide-ranging and require the involvement of a broad mix of people, processes and technology for full compliance.
HIPAA specifically requires that public companies or those that handle personal health information monitor or retain audit trails. To meet this requirement, event log management software (ELMS) is used to monitor change management and prepare for compliance audits at enterprises. ELMS is a key tool for IT administrators who must demonstrate to executives that an organization is prepared for a compliance audit.
Although wireless devices are not detailed in HIPAA’s security rule, they must be viewed in the entire system for electronically storing and transmitting data.
Many IT departments find value in a third-party assessment of HIPAA compliance. The URAC (formerly the Utilization Review Accreditation Commission), the largest accrediting body for healthcare, will certify that a healthcare organization’s operations are in compliance with HIPAA standards. The URAC provides an IT department with documentation and evidence of due diligence that support an organization’s overall risk management efforts.