The HIPAA Security Rule addresses the technical and non-technical safeguards that HIPAA covered entities must put in place to secure individuals’ PHI. The Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Prior to HIPAA, no generally accepted security standards for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on electronic information systems to pay claims, answer eligibility questions, provide health information, and conduct a host of other administrative and clinically based functions.
Today, providers are increasingly using computerized systems for electronic health records (EHR), radiology, pharmacy, and laboratory systems. Health plans are providing electronic claims and care management, as well as member self-service applications. While this may increase the mobility and efficiency of the medical workforce (that is, a doctor can review patient records and test results without having to wait for them in the mail, or driving to an office), these advanced functions create serious security risks.