HIPAA Security Rule
The HIPAA Security Rule establishes national standards to protect individuals’ health information that is created, received, used, or maintained in electronic form by a covered entity (also known as ePHI). The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
Contact the Kentucky REC today for more information on how we can help with your security risk analysis.
Covered Entity
A covered entity is one of the following:
A Health Care Provider | A Health Plan | A Health Care Clearinghouse |
---|---|---|
This includes providers such as:
| This includes:
| This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. |
Covered Entity Guidance Tool
Protecting patients’ ePHI is as important as protecting their paper PHI. An SRA helps to identify vulnerabilities and threats surrounding your EHR and other IT systems containing and transmitting ePHI. Once identified, you will need to mitigate the vulnerabilities to reasonable level.
Please note all providers who are covered entities under HIPAA are required to perform a Security Risk Analysis.
Why Do I Need a Security Risk Analysis (SRA)?
The Administrative Safeguards provisions in the HIPAA Security Rule require covered entities to perform risk analysis as part of their security management processes. Specifically, the Security Rule states that covered entities are required to:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” §164.308(a)(1)(ii)(A):
• A risk analysis process includes, but is not limited to, the following activities:
• Evaluate the likelihood and impact of potential risks to e-PHI
• Implement appropriate security measures to address the risks identified in the risk analysis
• Document the chosen security measures and, where required, the rationale for adopting those measures
• Maintain continuous, reasonable, and appropriate security protections
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
KENTUCKY REC HIPAA NEWS
Kentucky REC Annual Conference Oct 24: Security Incident Response Planning
Hybrid Event with Special Guest Speakers - In Person and Online Oct. 24 2024, Lexington Kentucky, The Campbell HouseSecurity Incident Response Planning - A Tabletop Exercise Kentucky REC Presenter: Amy Daley, Kentucky RECGuest Presenters: Ryan Lewis & Colin...
Keynote Speaker Oct 24 Annual Conference: Harold Dennis Jr
Harold Dennis is a motivational speaker, Physician Assistant, and survivor of the 1988 Carrollton Bus Crash. Join us on Oct. 24 to hear his story of perseverance and overcoming adversity.
Join Us October 24! Kentucky REC Annual Conference
Join Kentucky REC experts advisors and guest speakers for our annual conference on October 24 in Lexington, Kentucky. Content will be provided both virtually and in person at the Campbell House. Register Today!