HIPAA rules had to be expanded to cover new uses of technology.
The Health Insurance Portability and Accountability Act [HIPAA] of 1996 established privacy and security rules to protect a patient's privacy. In 2001, the U.S. Department of Health and Human Services (HHS) recognized the need for additional legislation regarding the security and transmittal of electronically stored and transmitted health care records. Effective April 21, 2003, the Security Standards for the Protection of Electronic Protected Health Information formalized the rules.
Purpose
According to the HHS, the major goal is a patient's protection while permitting revolutionary technologies that improve both the quality and efficiency of health care. The rules are flexible and scalable. To comply with the rules, each entity maintains "safeguards to ensure the integrity and confidentiality... protect against any reasonably anticipated threats or hazards... and unauthorized use or disclosure of the information."
Threats
Some of the threats recognized by the HHS include access control, authentication, encryption and password strength, malicious software or viruses, physical safeguards, disasters and data backups and security. The HHS stated that threat reduction ensures records are available at all times and unaltered.
Security
Nonrepudiation on secure computer systems provides digital signatures. Creation of a digital signature can be accomplished by only the individual who established it. It provides safety to the entity accepting the signature and the individual. The digital signature records the time and date. According to the Inform It website, nonrepudiation creates "a cryptographic representation of the signature based on a set of rules and parameters." HIPAA also requires "message integrity and user authentication" protection.The data is transferred from the sender to the recipient. Message integrity refers to the data's ability to arrive unaltered.
User authentication, as the name implies, verifies the identities of the sender and recipient. Each employee leaves her digital signature.
Documentation
Documentation of the design, implementation and maintenance of the security measures mandated by HIPAA must be kept by each provider. The required documentation also includes periodic reviews, validations and system updates.