At a glance
A federal law known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the development of national standards to prevent the disclosure of sensitive patient health information without the patient’s knowledge or consent. To put HIPAA’s obligations into practise, the US Department of Health and Human Services (HHS) established the HIPAA Privacy Rule. A portion of the data covered by the Privacy Rule is protected under the HIPAA Security Rule.
The controls that must be used to protect PHI are laid out in the HIPAA Security Rule. Administrative, physical, and technical precautions must be put in place and documented for this. Access, audit, and encryption controls must be appropriate as part of the technical safeguards. These safeguards must exist in software that handles PHI, and they must be recorded.
Testing software that stores or transmits e-PHI to confirm that an implementation is carried out correctly is evidence that the HIPAA-required controls are successfully in place. Organizations that transmit and store PHI are required to conduct regular technical and non-technical evaluations of these systems under HIPAA Security Rule provision 164.308(a)(8).By assessing an organization’s total control environment, White Coast can help establish whether the various HIPAA Security Rule criteria are satisfied.