On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009. The Framework and Meaningful Use documents are available here.
In this series of postings, we reproduce—one at a time—Level 1 and Level 2 descriptions of the eight principles. A Level 1 (L1) description is a “short title and concise statement,” and a Level 2 (L2) description is a “short explanation that further elaborates on the principle, what it is designed to do, and its parameters.”
The seventh of the eight principles is:
(L1) SAFEGUARDS. Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. [p. 9]
(L2) Trust in electronic exchange of individually identifiable health information can only be achieved if reasonable administrative, technical, and physical safeguards are in place to protect individually identifiable health information and minimize the risks of unauthorized or inappropriate access, use, or disclosure. These safeguards should be developed after a thorough assessment to determine any risks or vulnerabilities to individually identifiable health information. Persons and entities that participate in a network for the purpose of electronic exchange of individually identifiable health information should implement administrative, technical, and physical safeguards to protect information, including assuring that only authorized persons and entities and employees of such persons or entities have access to individually identifiable health information. Administrative, technical, and physical safeguards should be reasonable in scope and balanced with the need for access to individually identifiable health information.
Definitions of Safeguards Pertaining to This Principle
Administrative safeguards: Administrative actions, and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic individually identifiable health information and to manage the conduct of the entity’s workforce in relation to the protection of that information. Administrative safeguards include policies and procedures, workforce training, risk management plans, and contingency plans.
Physical safeguards: Physical measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. Physical safeguards include workstation security and use procedures, facility security plans, data backup and storage, and portable device and media controls.
Technical safeguards: The technology and the policies and procedures for its use that protect electronic individually identifiable health information and control access to it.