Privacy and Security Standards

Privacy standards aim to protect an individual's (or organization's) right to determine whether, what, when, by whom and for what purpose their protected health information is collected, accessed, used or disclosed. Security standards define a set of administrative, physical and technical actions to protect the confidentiality, availability and integrity health information. These standards consist of two types: (1) HIPAA standards that define general requirements for the protection of health information shared via electronic transactions and (2) technical security standards.

HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule establishes national standards to protect individuals’ medical records and other protected health information. It applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically. The Rule applies safeguards to protect the privacy of protected health information (regardless of the medium in which the information is contained-film, paper, hardcopy, or electronic), and sets limits and conditions on the uses and disclosures of such information without patient authorization. The Rule also gives patients rights over their health information, including the right to examine and obtain a copy of their records, and to request corrections. As set forth in the HIPAA Privacy Rule (45 CFR §160.103), a standard means a rule, condition, or requirement with respect to the privacy of protected health information. An example of a standard under the HIPAA Privacy Rule relates to the notice of privacy practices and an individual’s right to adequate notice of uses and disclosures of his or her protected health information that may be made by the covered entity and the individual’s rights and the covered entity’s duties with respect to the protected health information (45 CFR §164.520).

HIPAA Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information that a covered entity or business associate creates, receives, maintains, or transmits. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans). The Rule addresses the technical and non-technical safeguards that covered entities and business associates must have in place to secure an individual’s electronic protected health information (ePHI).

Further, the HIPAA Security Rule sets forth standards for physical, technical, and administrative safeguards for the protection of electronic protected health information. However, the HIPAA standards set forth what must be done, but not how it can be done. Implementation specifications, based upon the HIPAA standards, provide more granular detail in terms of what needs to be done based upon the standard. But, again, these implementation specifications do not state how to these things can be achieved.

Security Frameworks

Security frameworks help organizations build a comprehensive security program with guidance on how to identify and prioritize actions for reducing cybersecurity risk. HIPAA compliance alone is not enough, as HIPAA does not explain the “how to” in regard to protecting information. Security frameworks provide a roadmap for an organization’s security program. Popular security frameworks include those by ISO, COBIT, HITRUST, NIST, and CIS. Security frameworks also reference and/or map to technical security standards. Every organization needs to adopt a security framework, in addition to complying with HIPAA. HIPAA compliance is not enough to achieve holistic information security. In addition, HIMSS recommends the adoption of the NIST Cybersecurity Framework in its HIMSS Cybersecurity Call to Action.

Technical Standards

Technical security standards are prescriptive in nature in that they set forth how certain things in information security are achieved. For example, ISO 27001 is a technical security standard in that it defines a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining an organization’s Information Security Management System (ISMS).

A robust catalog of information security standards can be found in Appendix A, Table 2 of the NIST Cybersecurity Framework v1.0. A draft v1.1 of the NIST Cybersecurity Framework also sets forth a robust catalog of information security standards in Table 3 of Appendix A.

For more information on privacy and security issues with Health IT, visit the HIMSS Privacy and Security toolkits.