Security Practices

The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was adopted to implement safeguards for the specific protection of electronic protected health information (EPHI). This includes EPHI that is created, received, maintained or transmitted.

The Security Rule requires that a security plan must ensure:

  • Integrity: Information has not been altered or destroyed without proper authorization.
  • Confidentiality: Information is only available or disclosed to authorized persons.
  • Availability: Information is accessible and usable upon demand by authorized persons.

The security standards are divided into the categories of administrative, physical, and technical safeguards.

  • Administrative safeguards include assignment or delegation of security responsibility to an individual and security training requirements.
  • Physical safeguards are the mechanisms required to protect electronic systems, equipment and the data they hold from threats, environmental hazards and unauthorized intrusion. They include restricting access to and retaining off-site computer backups.
  • Technical safeguards are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access the EPHI, or encrypting and decrypting data, as it is being stored and/or transmitted.

ACC will implement reasonable and appropriate measures to guard against unauthorized access to, and protect the integrity and confidentiality of, EPHI.

Covered Entities

A covered entity will have a security plan that ensures the confidentiality, integrity, and availability of electronic protected health information. Security measures, actions, activities, and assessments must be documented either electronically or in paper format and retained for 6 years from their effective date.

Administrative Safeguards

  • Access to electronic personal health information (PHI) is allowed only to those authorized and with a managed password system.
  • Access to PHI is immediately withdrawn upon employee/student termination/withdrawal.
  • Systems are protected from malicious software.
  • Data back-up and disaster recovery plans are implemented.

Technical Safeguards

  • PHI that is stored on-site on computers or other electronic devices should be protected from unauthorized use by implementing:
    • appropriate password systems;
    • automatic log-off procedures;
    • emergency access procedures;
    • transmission security; and
    • firewalls.

Physical Safeguards

  • Considers the physical access to electronic PHI to include:
    • facility lock and key control;
    • fire protection;
    • identification of high-risk areas;
    • use of computer privacy screens;
    • device and media controls; and
    • data back-up and storage.

Business Associates

Faculty, students, and employees will receive training and adhere to the HIPAA policies outlined in the HIPAA Training Module. They will:

  • Adhere to individual health care facility policy/procedure related to the Security Rule
  • Use appropriate safeguards to protect the confidentiality of EPHI
  • Report to the facility any use or disclosure by the business associate not authorized by the business associate provisions

Non-Business Associates

Each covered department will designate those employees who need access to EPHI to carry out their duties and shall designate the level of access needed by each employee. Faculty and employees will receive training and adhere to the HIPAA policies outlined in the HIPAA Training Module and addressed in Best Practices.

Back to Top