The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has been one of the most influential pieces of legislation on the healthcare industry. HIPAA’s initial purpose was to anticipate the digitization of healthcare data and communications by codifying standards for electronic transactions. It eventually expanded to require healthcare entities to protect patient privacy (i.e., the Privacy Rule), secure patients’ protected health information (PHI) (i.e., the Security Rule), and to notify patients in the event of a breach of PHI (i.e., the Breach Notification Rule). HIPAA is therefore not a single law or rule, but a “suite of regulations” that apply to two types of organizations: covered entities (CEs) and business associates (BAs), which HIPAA carefully defines.
HIPAA’s Security Rule applies equally to CEs and BAs. It requires the implementation of administrative, physical, and technical safeguards in order to maintain the confidentiality, integrity, and availability (CIA) of patients’ PHI. CEs and BAs are greatly aided in complying with the Security Rule by implementing a document management solution (DMS). A DMS is a hybrid software-hardware solution that assists in the creation, storage, transmission, and security of electronic health records (EHRs). EHRs often contain PHI, such as patient medical records and billing information, in electronic format. Common DMS features map to the Security Rule’s safeguards. In turn, the administrative, technical, and physical controls or safeguards contribute to the CIA of patient PHI.
This paper aims to:
- Summarize HIPAA’s privacy and security regulatory requirements, define who must comply, and outline how to comply – with a focus on the Security Rule Introduce the Security Rule’s required safeguards and how they enable the CIA of patient PHI
- Explain how common DMS features map to the Security Rule’s safeguards and therefore aid in compliance
- Provide guidance on evaluating DMS features and planning for DMS deployment