The administrative area details the policies and procedures on how to comply with HIPAA. This includes implementing a set of privacy procedures and appointing a privacy officer responsible for these procedures. These procedures include identifying who has access to the private health information based on job function. This area also states that a training program must be established regarding private health information. These policies must also address the issues of hiring new people, changes in position which require escalated access, and termination. Another major policy is in regard to dealing with third party conractors and ensuring they comply to the same standards. This area also covers having a disaster recovery plan including data priority, failure analysis, testing activities, and change control procedures. Furthermore the administrative areas deals with audit control to identify potential security violations and address the action plan regarding security breaches.
The technical area details implementing access control to computer system and ensuring that transmitted data is protected and secure from interception. If you are on a a closed network encryption is not required but if you are on a open network encryption must be used. Methods must also be used to ensure data integrity including check sum, digital signatures, etc. Communications with outside systems must be authenticated using such methods as three-way hand-shakes. Documentation is also a major component of the technical requirements since systems are dynamic and complex. This documentation must also be available to the government to ensure proper compliance.
The physical area details how to protect data from unauthorized physical access. This includes appointing someone in charge of security who can report to management. Access to servers, workstations, and other equipment containing health information must be restricted to authorized personnel only. There must also be specifications detailing the process for adding, removing, and discarding both hardware and software. This includes proper physical disposal. Access controls must also be in place for visitors including escorts and proper records. Any interaction with third parties must also comply with these regulations.
Implementing these procedures can be a daunting task. Fortunately there are
several vendors that can help you implement these security policiies
and procedures through consulting or software systems.
References
"Health Insurance Portability and Accountability Act." Wikipedia, The Free Encyclopedia. 5 Feb 2006, 15:31 UTC. 9 Feb 2006, 23:08 http://en.wikipedia.org/w/index.php?title=Health_Insurance_Portability_and_Accountability_Act&oldid=38318666.
Health Insurance Reform: Security Standards; Final Rule Security Final Rule