Though short in length,HIPAA Security Rule principles are well defined in some areas, but vague in some others, making implementation of these areas difficult.
HIPAA Security Rules are an offshoot of the Privacy Rule. While Privacy Rule concerns itself with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) concerns itself specifically with electronic Protected Health Information (ePHI). Since it particularly focuses on an element of the Privacy Rule; it is considered a subset of the HIPAA Privacy Rule.
The HIPAA Security Rule seeks to fortify individually identifiable health information with reasonably high levels of technical, administrative and physical safeguards so that these attributes are protected and unauthorized or inappropriate access, use, or disclosure prevented:
- Integrity, and
To enable this, the HIPAA Security Rule codifies a few standards and best practices in information technology. In a general sense, the HIPAA Security Rule requires computer systems containing patient health implementation to implement these three safeguards:
- Physical, and
It has clear definitions of each component relating to its specifications. Some of the terms on which the HIPAA Security Rule is unambiguously clear are:
Challenges associated with implementing HIPAA Security Rule
Despite the clarity of definitions of a few terms as stated above; the HIPAA security rule is considered complicated by practitioners and participants in the Rule. Although not a very painfully long document in that it runs into only eight pages; because of the high technical nature of its text, it is considered quite complex.
A major requirement that the HIPAA Security Rule imposes is a set of additional organizational requirements, apart from documenting processes that are in tune with the HIPAA Privacy Rule. This is easier said than done, especially for small time providers that have limited technical bandwidth and capabilities, for whom implementing the Privacy Rule itself can be challenging. The solution is to make Health information technology (HIT) resources available for this kind of providers.
Further, this Rule has some ambiguities. For instance, its fundamental requirement is implementation of “necessary safeguards”. There is no unanimity about what this means.