Administrative Safeguards are defined in section § 164.304

- Safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.

- Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person

What does this mean for you?

There should be detailed Administrative Safeguards built into your HIPAA policies and procedures.

Back to Top

The definition for a "Business Associate" is assigned under title 45 section 160.103

- On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and re-pricing; or

- Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person

What does this mean for Business Associates?

If you are doing business with a Covered Entity you need to have a signed Business Associate Agreement as well as HIPAA Compliant, Policies & Procedures of your own.

Back to Top

A Covered Entity is one of the following

• Doctors
• Clinics
• Psychologists
• Dentists
• Chiropractors
• Nursing Homes
• Pharmacies
• Health Insurance Companies
• HMOs
• Company Health Plans
• Government programs that pay for health care, such as, Medicare, Medicaid, and the military and veterans health care programs
• A Health Care Clearing House
  • This includes entities that process nonstandard health information they receive from another entity into a standare(i.e., standard electronic format or data content), or vice versa.

What does this mean?

If you fall under any of the above categories, and:

If you furnish health care services to individuals, including the subjects of research, and transmit any health information in electronic form in connection with a transaction covered by the Transactions Rule you will be considered a Covered Entity.

Back to Top

ePHI & PHI Definition except as provided in paragraph (2) of this definition, that is:(Protected Health Information)

Transmitted by electronic media, Maintained in electronic media, Transmitted or maintained in any other form or medium

Any patient information classified as an identifier under Health and Human Resource's De-identification Standard in combination with the patient's treatment will be classified as PHI. ePHI any electronic form of PHI

What does this mean for you?

Any information that includes any patient identifier and treatment together will be considered Protected Health Information, and protected under HIPAA, and all other applicable laws.

Back to Top

ePHI & PHI Integrity

The property that data or information have not been altered or destroyed in an unauthorized manner.

What does this mean for you?

You must put in place Technical and Physical logging measures to track the usage of ePHI/PHI in order to prevent misuse of Protected Health Information.

Back to Top

File Encryption should be a minimum of FIPS 140-2 in order to maintain HIPAA Compliance. FIPS 140-3 may be available at a later date: defined under NIST requirements

- The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

What does this mean for you?

This means that when implementing encryption you must meet NIST's requirements before it is considered HIPAA Compliant. (AES-256, FIPS 140-2)

Back to Top

The Health Insurance Portability and Accountability Act

- Enacted in 1996 HIPAA is a set of National Standards for the treatment of Health Information, or Protected Health Information (PHI). Anyone Maintaining, Transporting, or exposed to PHI are held to the same standards of security.

What does this mean for you?

Stringent regulations have been placed on the handling of Protected Health Information.

Back to Top

A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual per (§164.514(e)(2)):

• Names,
• Postal address information, other than town or city, State, and zip code;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints; and
• Full face photographic images and any comparable images.

What does this mean for you?

Before disclosing any Protected Health Information you must first go through the process of de-identification per section §164.514(e)(2)

Back to Top

Health Information Technology for Economic and Clinical Health Act (2009)

- Enacted in 2009 the HITECH Act is a part of the American Recovery & Reinvestment Act of 2009 (ARRA) and does the following: Affects the time requirements in the breach notification § 164.400-414, higher civil penalties, Heightened Enforcement, and Audits. Business Associates must enact Administrative, Physical, and Technical Safeguards.

What does this mean for you?

If you are a Business Associate to a Covered Entity you will essentially be held to the same standards as a health care practitioner. You need to implement Admin, Technical, and Physical safeguards to show that you have taken "Reasonable and Appropriate" measures to protect ePHI/PHI (Protected Health Information).

Back to Top

Physical Safeguards are defined in section § 164.304

- Physical Safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and evironmental hazards, and unauthorized intrusion.

What does this mean for you?

If you are a Covered Entity, or Business Associate you must make "reasonable and appropriate" efforts to Physically protect from the misuse of ePHI/PHI to maintain HIPAA Compliance.

Back to Top

Technical Safeguards are defined within section § 164.304

- The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

What does this mean for you?

If you are a Covered Entity, or Business Associate you must make "reasonable and appropriate" efforts to protect from the misuse of ePHI to maintain HIPAA Compliance. These safeguards would be: Firewall, Business Class Server, Intrusion Prevension, etc...

Back to Top