HIPAA PHI: Security and Compliance
The HIPAA laws surrounding Protected Health Information (PHI) require all health care Covered Entities (CEs) and their HIPAA Business Associates (BAs) to safeguard the security and privacy of PHI. The HIPAA laws also require CEs and BAs to implement required security measures to safeguard HIPAA PHI.
As a quick review, any individually identifiable information created or received by a covered entity is Protected Health Information (PHI), regardless of the media form in which it is (or was) stored. PHI is protected under HIPAA, and the data may be stored, at rest or in transit. PHI may be oral, contained on paper or stored electronically.
The HIPAA Privacy Rule describes the permissible uses and disclosures of PHI. The HIPAA Security Rule establishes administrative, physical and technical safeguard standards to protect PHI from unauthorized uses and disclosures. The security requirements are flexible and scalable to account for the nature of each entity’s business, and its size and resources. The Privacy Rule is about al PHI; the Security Rule is about electronic PHI or ePHI. It is important that your healthcare business as well as your Business Associates and subcontractors comply fully with all security requirements.
The objectives of the HIPAA rules are to protect patient privacy, in particular to make sure that all PHI is stored and transmitted securely, with a special emphasis on when this data is stored or transmitted electronically.
The three primary goals for HIPAA PHI security are to:
• Ensure confidentiality, integrity, and availability of all PHI that a CE or BA creates, receives, maintains, or transmits
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such PHI
• Protect against any reasonably anticipated losses or disclosures of PHI
For full help with HIPAA PHI security and compliance, purchase our HIPAA Security Assessment Toolkit™