webinarsbreadcrumb separatorhipaa-ecommerce-guidelines-and-resources-part-5-hipaa-security-rule

Chris Reddick (President and CEO at Clarity Ventures) and Ron Halversen (Vice-President of Sales and Marketing at Clarity) discuss the HIPAA Security Rule and what it entails.

Part 5 of a 13-part series (Return to Part 4)

RON: Now that we're under the HIPAA Security Rule, I'm going to go ahead and turn it over to you to dive into the rule and give us the ins and outs. 
 
CHRIS: Awesome. Thanks, Ron. For those of you who are watching and listening, one of the most important things about the Security Rule is there is a lot of detail here. There are a lot of nuances to it, but fundamentally it has variability based on your specific business. The general summary with the Security Rule is that you want to meet or exceed industry best practices for security, and that is a very general thing. We're going to decompose that, break that down, and talk about what that looks like.

what is hipaa

CHRIS: One of the most helpful things in general is, if you're looking at the Security Rule page on the HHS.gov website, you'll see there are risk assessment tools that are complimentary. They're free, they're built into the site. There are links here for the HHS Security Risk Assessment Tool, the NIST HIPAA security rule toolkit, and other guidelines on risk analysis. We highly recommend that you take a look at those and at least understand those.

what is hipaa

CHRIS: One of the things that we tend to recommend as a sort of an enhancement to these type of tools that are free from the government, is it's great to look at these. There are vendors who have created an entire eCommerce business around helping you conduct the compliance on a regular schedule based on your business and based on your part of the medical industry. Specifically, they will also include, in many cases, compliance coverage. This can be a really nice aspect, a key aspect to help you rest well at night.  

One of those partners is Accountable HQ. We work with them a lot, and they have a great offering for this. We’ll leave a link in the description area and you're welcome to get in touch with them directly. We’d certainly appreciate it if you let them know that Clarity sent you, but they do a great job with overall HIPAA compliance and the HIPAA compliance auditing and risk assessment process. This can be really tedious and detailed, and it can be pretty challenging to keep organized and stay on top of the consistent basis of completing these audits and going through the steps of meeting or exceeding the industry best practices for security and making sure that you're logging and keeping good records, showing that you're completing these steps and you are in compliance.

what is hipaa

CHRIS: So those are some things we want to point out in general. And then as far as the Security Rule, if you would, Ron, let's go into the summary of the HIPAA Security Rule and we'll dive into that next. 
 
RON: And I wanted to make one quick comment. You talk about the Accountable HQ, and if I remember you just posted about three weeks ago a full, deep-dive video into the Accountable HQ tool. I'm going to go back and look for that, and if I do, I'll try to put a link for that as well in the description for everyone here. 
 
CHRIS: Awesome, thank you. So with that, the summary of the HIPAA Security Rule is generally covered in the first few paragraphs of the page. They talk about how it was established as a national set of security standards for protecting certain health information that is held or transferred in electronic form. And it operationalized the protections contained in the Privacy Rule by addressing technical and non-technical safeguards that organizations (covered entities) must put in place to secure individuals ePHI, or electronic protected health information.  

Within HHS, the OCR has the responsibility for enforcing HIPAA Privacy Rules and Security Rules with voluntary compliance activities and civil money penalties. These are essentially the teeth and the summary of how this mechanically works.  

A great summary of the Security Rule itself and what it does is a few more paragraphs below, where they say “a major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.” 

what is hipaa

CHRIS: Now, this is really important, because what they're doing here is giving you a spectrum that you're going to be operating within. It goes on to say that, “given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ ePHI.” 
 
This is [both] a major weakness and a major strength of the Security Rule. And they're generally saying nothing and something all at once. This can be really challenging to understand. One of the best things to do is to look at some examples and what exactly are they expecting? 
 
Generally speaking, the goal here is to operationalize the Privacy Rules, so keep that in mind. That should be the heartbeat of why the Security Rule is there. And you'll probably want to think about the context of how this Security Rule came about. The overall HIPAA laws were published and established in 1996, so there wasn't a lot of Internet activity, there weren't a lot of massive security breaches. These things really started happening later as the Internet matured, this became a pretty substantial concern. 
 
Naturally, half-a-decade to a decade later, as sometimes legislation can go, there was finally a legislative consequence, and that was the Security Rule. Then the Security Rule for HIPAA was modified and there are guidelines posted, etc. So the point is that the Security Rule was intended to, as they state here, operationalize the Privacy Rule. And this means in technical and non-technical ways. Substantially, they're talking about ePHI, electronic situations.  

Continue to Part 6 to find out who should have access to HIPAA-covered data.

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps