HIPAA Security

In this section:

HIPAA Security Rule Overview

UTHealth is a covered entity under the HIPAA Security Rule. The HIPAA Security Rule requires UTHealth to implement administrative, technical, and physical safeguards to (1) ensure the confidentiality, integrity, and availability of all e-PHI it creates, receives, maintains, or transmits; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) protect against any reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule; and (4) ensure compliance with the Security Rule by its workforce.

 

Definitions

 

Covered Entities include the following:

Covered Health Care Providers - Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.

Health Plans - Any individual or group plan that provides or pays the cost of health care (e.g., a health insurance issuer and the Medicare and Medicaid programs).

 

Health Care Clearinghouses - A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.

 

e-PHI is any Protected Health Information (PHI) which is stored, accessed, transmitted or received electronically. Hence, the "e" at the beginning of e-PHI.

 

Confidentiality is the assurance that e-PHI data is shared only among authorized persons or organizations.

 

Integrity is the assurance that e-PHI data is not changed unless an alteration is known, required, documented, validated and authoritatively approved. It is an assurance that information is authentic and complete, and that the information can be relied upon to be sufficiently accurate for its purpose.

 

Availability is the assurance that systems responsible for delivering, storing and processing critical e-PHI data are accessible when needed, by those who need them under both routine and emergency circumstances.

Privacy Rule vs. Security Rule

HIPAA regulations cover both security and privacy. Security and privacy are distinct, but related. You can't ensure Privacy without Security.

• The Privacy rule focuses on the right of an individual to control the use of his or her personal information. Protected health information (PHI) should not be divulged or used by others against their wishes. The Privacy rule covers the confidentiality of PHI in all formats including electronic, paper and oral. Confidentiality is an assurance that the information will be safeguarded from unauthorized disclosure. The physical security of PHI in all formats is an element of the Privacy rule. See An Introduction to HIPAA Privacy Handbook
  
  
• The Security rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (e-PHI). Protection of e-PHI data from unauthorized access, whether external or internal, stored or in transit, is all part of the security rule.