Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) mandates that companies protect the medical information they collect from patients. The law affects insurers, hospitals, laboratories, doctor’s offices, and the pharmaceutical industry. It also applies to employers who keep employee health data for insurance purposes.
HIPAA also mandates that organizations conduct an assessment of potential risks and vulnerabilities to systems that maintain electronic protected health information (ePHI) data and that they implement security measures sufficient to reduce risks and vulnerabilities to that data. The security rule in HIPAA focuses on administrative, technical, and physical safeguards specifically as they relate to ePHI.
Two key principals in the security management process are risk analysis and risk management:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) (above). Also, as stated in the DRAFT HIPAA Security Standards: Guidance on Risk Analysis, dated May 7, 2010:
Organizations must identify and document reasonably anticipated threats to e-PHI. (See 45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)