This article describes the HIPAA workforce security requirements for restricting access to protected health information. The relevant subsection of the HIPAA law is §164.308(a)(3).  Section §164.308 of the Health Insurance Portability and Accountability Act describes the required administrative safeguards for covered entities. This article explores section §164.308(a), which deals with ensuring that workforce members have appropriate (yet limited) access to protected health information. HIPAA Workforce Security “Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.” [§164.308(a)(3)] This[…]

I recently got directed to this article called First-Hand Experience with a Patient Data Security Breach. It is a really good breakdown of the elements of what happens during a breach and the subsequent events. It starts with the theft of a laptop from an employee’s car.   After the theft was reported, they looked at a recent backup of the machine and learned that the laptop contained data files about healthcare patients. Well, not directly. It contained logs of problems with health information systems, and within those logs were the healthcare records. Oops. While the laptop did not belong to a healthcare provider directly, it still managed to have files that were important and potentially could result in a breach according to[…]

Section §164.308 of the Health Insurance Portability and Accountability Act (HIPAA) covers security management and assigning overall responsibility for security policies to an individual in the organization. This article focuses on the required HIPAA administrative safeguards covered in subsections §164.308(a)(1) and (a)(2) describing policies and responsibilities. Section (a)(2) is a simple requirement. The organization must identify an individual as the Security Official who is responsible for the policies and procedures that bring the organization into compliance with the law. The Security Official is responsible for communicating these policies effectively to all workforce members. These policies must also cover the workforce and training requirements discussed in section §164.308 which will be covered in a later article. In order to be HIPAA compliant,[…]

The new HIPAA Omnibus Rule from the Department of Health and Human Services (HHS) makes some changes to the Federal Code to account for the HITECH law as well as changes since then.  This summary will be discussing changes to the Breach Notification Rule; we will also have a summary for changes to the Privacy Rule. The major change to the Breach Notification Rule is that a breach requiring notification is assumed unless : the covered entity can show (through a risk assessment) that there is a low probability that the protected health information (PHI) has been compromised, or the compromise falls under one of three exceptions to the definition of “breach”. Previously, covered entities only had to notify affected individuals if a risk[…]