HIPAA/HITECH in regards to Information Systems.
The information provided below is just some of the main Information Systems requirements, if you want more information please visit HHS.gov
Compliance. The HIPAA/HITECH Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews. The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
•The Health Insurance Portability and Accountability Act (HIPAA) mandates that organizations conduct assessment of potential risks and vulnerabilities to systems that maintain electronic protected health information (ePHI) data, and implement security measures sufficient to reduce risks and vulnerabilities to that data. The focus of the Security Rule in HIPAA focuses on administrative, technical and physical safeguards specifically as they relate to ePHI. Two key principals in the security management process are Risk Analysis and Risk Management:
•Risk Analysis: 164.308(a)(1)(ii)(A) R - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the covered entity.
•Risk Management: 164.308(a)(1)(ii)(B) R - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with *164.306(a)
•Also, as stated in the DRAFT HIPAA Security Standards: Guidance on Risk Analysis, dated May 7, 2010,
•Organizations must identify and document reasonably anticipated threats to e-PHI. (See 45 C.F.R. **164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. **164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.25
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.26
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.