Under the privacy rules, covered entities must implement policies and procedures to safeguard PHI in any format, paper or electronic. As with GLBA, policies and procedures can take into account the size of the enterprise and the types of activities that relate to PHI. For example, a pharmacy will have different privacy policies and procedures than a doctor's office. The policies can be in written or electronic form. Communications between patients and covered entities--such as authorizations to access patient records and requests for records--also can be kept in written or electronic form. These records must be retained for possible retrieval for a period of six years. Here, IT can reduce a paper log to electronic form to facilitate access and reduce storage costs.
When you dig further into the privacy rules you hit a conduit in Section 164.530. There, entities must implement appropriate administrative, technical and physical safeguards to protect PHI. Further, they must guard from any intentional or unintentional use or disclosure of PHI. This opens the door to the security rules where entities must ensure the confidentiality, integrity and availability of all electronic PHI they create, receive, maintain or transmit.
HIPAA's security rules are similar to GLBA's. They do not dictate the application of discrete technologies. Instead, they provide general requirements that leave the door open for new technologies to satisfy the rules. Broadly speaking, entities must protect against any reasonably anticipated threats or hazards to the security and integrity of PHI while guarding against unauthorized uses or disclosures. In choosing specific security measures, the rules allow for a flexible approach.
A large health plan, such as BlueCross BlueShield, will have different concerns than a small, self-administered plan. These concerns include the entity's technical infrastructure, hardware, software and security capabilities. Another factor to consider is the cost of the solution in light of the potential risks to electronic PHI.
The security rules for HIPAA are neatly grouped into administrative, physical and technical safeguards. In practice, however, they are not so easily segregated. Safeguarding electronic PHI involves the implementation of technical safeguards with administrative procedures and policies. For example, administrative safeguards should include awareness training for staff. Additional protections can be added with desktop-management tools that lock down systems, prohibit unauthorized downloads and limit the executable applications on desktops. Further assurances can include desktop firewalls, such as those from Sygate Technologies and Zone Labs.
Specific implementations or specifications to achieve each administrative, physical and technical safeguard are either "required" or "addressable." Required specifications mean just that: required. You must implement the specification. For addressable specifications, you must assess whether it is "reasonable" and "appropriate" to implement. As with GLBA, what is reasonable and appropriate will include an analysis of industry-standard practices. If you decide not to use a common technology, document the reasons and implement an equivalent alternative measure. But regardless of the specifications, companies must review and modify plans periodically in light of new threats and new protective technologies.
Bob Friday, Chief AI Officer for Juniper Networks, explains how the advanced technology is transforming operations.
Contact center leaders from 8x8, Awaken Intelligence, and 360insight discuss the importance of agent experience.
AI may force enterprises to rewire parts of their data centers so they are fully optimized to run such workloads. The question is do you use Ethernet or InfiniBand?
