Question

HIPAA security provisions: Name and describe 3 Administrative safeguards?

Answer 1

HIPAA

Introduction

HIPAA ( Health Insurance Portability and Accountability Act) was passed in the year 1996. It is a federal law, which was established to protect medical records and health information. HIPAA covers all the entities covered by them and their associates.

The patient health information should be accessible to authorized users but not to those who are not authorized to access the information. Three main types of safeguards are implemented:

• Administrative safeguards
• Physical safeguards
• Technical safeguards

Administrative Safeguards

This involves the administrative actions, policies, and rules for the selection and for the implementation of security measures that are also maintained to safeguards the patient's health information. All of the safeguards required an authorized entity to ensure that their rules, policies are in place for the protection of patient health information.

Major areas of the administrative rule:

• Security management process
• Assigned security responsibility
• Workforce security
• Information access management
• Security awareness and training
• Security incident procedures
• Contingency plan
• Evaluation

1. Security Management process

This involves the entities to implement procedures and policies to detect, identify and also top correct any breach of security. In this process, the administrative members implement strategies and plan to ensure that the information is protected. This is achieved by using the following measures

1. Risk analysis
2. Risk management
3. Sanction policy
4. Information system activity review

Risk analysis:

The entities are responsible to identify the risk of a breach. A thorough and complete assessment is conducted to identify and find all the potential risk factors that may cause a breach of patient health information. They need to identify;

• The potential risk factors
• The probability of that factor to cause violation in patient information

Risk management

In this process, the entities plan and implement all the actions and measures to prevent, correct or reduce the risk that was detected during the risk analysis process to an appropriate level.

Sanction policy

This involves that the entities should sanction the policies for actions against the woking members who fail to comply with the security rules and policies.

Information system activity review

The administrative members need to implement plans and procedures to review patient health information regularly. This will help to identify any possible threat, violation of the information system and will help in planning the appropriate measures to correct them.

2. Assigned security responsibility

This involves that the entities should designate personnel as a security official who is basically responsible for the development and implementation of policies. HIPAA states that it is important to have a security official and a privacy official who is responsible for implementing the plans.

The entities should keep the following points when assigning the roles;

• The security official and privacy official can be the same person, but it is not mandatory
• One of the official should look after the entire responsibility and the other official should have specific areas allocated to him.

3. Workforce security

This standard implies that all the personnel covered under the entity should have the access to the patient health information, but proper care should also be taken that those outside the entity cannot have any access to the patient information.this is mostly achieved by having:

• Supervision/ authorization
• Workforce clearance procedures
• Termination procedures

Supervision/ authorization

This standard states to have supervision on all the member of the entity who access the patient information electronically or through some other locations. It also requires to authorize only some selected personnel to have access to reading and running some specific files.

Workforce clearance procedures

The clearance procedures must establish procedures to identify that the workforce members are having access to the information's as per their job demands. The covered entities may choose whether they want to implement this screening along with authorization and supervision or separately

Termination procedures

Procedures should be implemented to terminate the privileges from the employees, members, contractors who are no longer entitled from making an access into the information system.