Are the security controls mandated by the HIPAA security rule enough to protect ePHI?
HIPAA Weekly Advisor, February 7, 2005
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
The short answer is that security controls are not enough. Someone could maliciously access or destroy electronic protected health information (ePHI) regardless of how many policies and technologies you have in place.
By carrying out the authentication systems, access controls, malware protection, etc. required by HIPAA, you can certainly eliminate the majority of potential attacks, but there's always residual risk.
Many information security managers spend countless hours and money trying to eliminate all threats and vulnerabilities so they won't have to worry about responding to security incidents. This is the wrong approach. Don't try to eliminate all risks but rather ready your organization to respond quickly and efficiently to minimize damage to ePHI when a breach does occur.
Editor's note: Kevin Beaver, CISSP answered this question. This is not legal advice. Consult your facility's legal counsel for questions on legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Hospitals are not bound by InterQual criteria for determining patient status
- ED-to-inpatient transfers are flawed with safety gaps
- Searched