HIPAA Security Compliance from an Auditor's Perspective

Abstract

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, spearheaded by the U.S. Department of Health and Human Services, was originally established to ease the administrative and financial burdens on the healthcare industry. In addition, a specific subsection called Administrative Simplification addresses, among other things, the privacy and security of confidential patient healthcare information. The specific requirements are addressed in two separate, yet interdependent, rules: the HIPAA Privacy Rule and the HIPAA Security Rule. This article examines the interdependency between the Privacy Rule and the Security Rule, explores what the Security Rule is and is not about, and focuses on some key areas when performing HIPAA security audits. Before moving forward, certain key HIPAA terms must be defined: Protected health information (PHI): PHI is defined as any individually identifiable information created, received, or maintained in any form relating to past, present, or future physical or mental health condition, treatment, or payment of an individual. Covered entity: A covered entity is any healthcare entity that deals with PHI and must comply with the HIPAA Administrative Simplification regulations. This includes healthcare providers, health plans, and healthcare clearinghouses. Business associates: This term refers to any business associate who receives and performs a function or service using PHI for, or on behalf of, a covered entity. This includes accountants, auditors, attorneys, outside management, and financial services organizations, consultants, etc. It is the responsibility of covered entities to ensure that their business associates will protect the privacy and confidentiality of PHI.