Security papers provide guidance from CMS. This rule which is normally referred to as the security rule was made to implement the provisions of HIPAA act of 1996. The security rule identifies implementation specifications and standards that must be observed by organizations for them to become compliant. All organizations that access, maintain, store and transmit patient private health information are supposed to meet these requirements. Failure to meet the said requirements might lead to criminal or civil penalties. However, small health plans are not included in these regulations.
The Human Health Services (HHS) department published rules to implement some provisions which include;
a. Privacy rule. They regulate the disclosure and use of protected health information.
b. Electronic transaction and code set rules
c. National identifier requirements for providers, employers and health plans.
d. Security rule which require suitable physical, administrative and technical protection to ensure the integrity, security and confidentiality of (EPHI) electronic public health information. When the security rule was published, it was designed to be technology neutral to consider future changes. It does not specify technologies to be used so that health care providers will not be trapped by systems that will become obsolete in future.
The entities that must comply with the security rule include:
a. Any provider of any health care services who does send any private health information in electronic form.
b. Any group plan or individual which pays or provides any health care.
c. An entity that provide health care transaction processing services to another entity.
d. Any non governmental organization that provides discounted drug program
If a breach of protected health information, the entities must give notifications of the breach to the secretary, affected individual and media in some circumstances. Business associates will inform the entities about the breach. HIPAA enforcement rule has provisions that specify investigations, compliance, penalties incase of any violation.