Passed in 1996 by the U.S. Congress, the Health Insurance Portability and Accountability Act (HIPAA) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. It also identifies compliance guidelines for critical business tasks such as risk analysis, awareness training, audit trail, disaster recovery plans and information access control and encryption.
There are 18 information security standards in three areas that must be met to ensure compliance with the HIPAA Security Rule. The three areas are:
- Administrative Safeguards: documented policies and procedures for day-to-day operations; managing the conduct of employees with Electronic Protected Health Information (EPHI); and managing the selection, development, and use of security controls.
- Physical Safeguards: security measures meant to protect an organization's electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion.
- Technical Safeguards: security measures that specify how to use technology to protect EPHI, particularly controlling access to it.