HSP_logo-paragraph-symb-iconThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of HHS to develop regulations protecting the privacy and security of certain health information. HHS developed what we commonly call the HIPAA Security Rule and the HIPAA Privacy Rule. Any “covered entity” is required to have a formal Privacy Policy and, if involved in the transfer or storage of electronic patient health information, a Security Policy must also be in place.  As a core part of the Security Policy, a Risk Assessment must be performed that is typically documented in the form of a Risk Mitigation Policy.

If you have ever sat down to read the actual Privacy and Security sections of the rule, you might have found out very quickly that just trying to decipher the text and find the right resources that explain how to even get started is a difficult task of its own. This article is not designed to walk you through the creation process of a Security Policy, or even a Privacy Policy, it is geared towards organizing very helpful resources that will assist in the creation and development process of these needed compliance documents. It is very possible to develop these documents on your own without the help of outside consulting firms, but that also depends on how much time you are able to dedicate to the project and available resources around you to support the process.

If you have not already visited the HHS website, you may want to start here, which begins with an overview of understanding health information privacy. This is a great place to start, particularly with the summaries of the HIPAA Privacy Rule and HIPAA Security Rule. For a copy of the full combined text of the HIPAA Administrative Simplification Regulations, including the Privacy and Security Rules, that can be found here.

One of the most difficult components of HIPAA is bringing your healthcare organization up to standard with the Security Rule, especially if you have recently implemented a lot of new technology, such as an EHR, new PC’s/Tablets/Other devices, Lab Systems (LIMS), Interfaces, back-up and storage, etc…  All of these types of technology serve as mediums for transportation of electronic patient health information, or as HIPAA refers to it, Electronic Protected Health Information (EPHI). The Security Rule requires that you take into account every device, server, storage media, interface or connection that uses, creates or transmits EPHI, and document a formal policy around how that data will remain protected and secure, even in the event of disaster or outage. The Security Rule is broken into 3 main parts: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Each part focuses on a different area of protecting and securing EPHI, based on different rule requirements. Luckily, there are also some great resources that allow you to gain a very good understanding of the Security Rule requirements written by HHS.  They are called the HIPAA Security Series, which are 7 documents that break the rule a part in an easy to read and follow manner. Under the section title “Security Rule Educational Paper Series” you will see the links to the 7 security series documents. It is highly recommended that you read each of these documents closely.  These documents will play a very big role in walking you through the creation and implementation of security standards.  Security Series 6 gives you a detailed understanding of the risk analysis and risk management process.

If you scroll a little bit further down on that same page, under the title of “(NIST) Special Publications” you will find 8 more documents that were developed by the National Institute of Standards and Technology.  Each of these documents is specific to security and compliance of different technologies used.  Just read the titles of each to see which may apply to your organization, based upon your technical environment.  These documents are especially geared towards IT professionals and technical managers. If you do have an IT person/department, this is the area they may want to spend some time getting familiar with.

As for other resources, there are websites that provide HIPAA training materials and courses, such as HIPAA Survival Guide, or the AMA does have a section on their website dedicated to HIPAA, along with many materials for sale in their AMA Store.  CMS also has information and materials on their website as well.  There are many different resources out there regarding HIPAA and it can get overwhelming just trying to get started, but the resources in this article should provide a good foundation and starting-place for you moving forward.