Ensuring Patient Privacy

How IBM® can help you develop a successful plan designed to meet security and privacy requirements.

Introduction

As just about anyone dealing with the Health Insurance Portability and Accountability Act—or HIPAA—likely knows, understanding and complying with the complexities of the regulation can be challenging. And that is especially true when it comes to implementing the HIPAA Security Rule, which requires covered entities to implement reasonable and appropriate standards in order to protect the con identiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain or transmit.

IBM has been playing a significant role in helping healthcare providers, payers and life sciences organizations understand and comply with the broad set of HIPAA requirements, including the HIPAA Security Rule. We’ve had firsthand experience supporting organizations—of all sizes—in helping to assess their needs and meet their specific regulatory requirements.

"That experience has allowed us to develop a broad portfolio of products and services designed to help address our clients’ specific needs and support them in organizing their compliance teams’ efforts to implement the directives of HIPAA."

Aligning With Other Security Frameworks

Healthcare organizations may choose to employ additional security framework options in addition to those of HIPAA. For example, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity in 2014, providing a risk-based approach to helping organizations in all industries understand, communicate and manage cybersecurity risks.

In the healthcare industry, where covered entities must comply with the HIPAA Security Rule, the NIST Cybersecurity Framework can offer additional support for managing compliance.

Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find they’ve developed a strong basis for assessing risk, measuring compliance and identifying potential gaps in their programs. And addressing these gaps can bolster their compliance with the HIPAA Security Rule and improve their ability to secure ePHI and other critical information and business processes.

But it’s important to note that healthcare organizations shouldn’t assume that they’re in compliance with the HIPAA Security Rule even if they’ve aligned their security program to the NIST Cybersecurity Framework. Similarly, while it may be relevant to certain controls, the HIPAA Security Rule does not require covered entities to integrate the NIST Cybersecurity Framework into their security management programs. Covered entities and business associates should perform their own security risk assessments to identify potential gaps and mitigate ePHI threats to their systems.

Three types of prescribed safeguards

HIPAA clearly identifies requirements for three types of safeguards for entities covered by ePHI regulations.

  • Administrative safeguards: HIPAA administrative safeguards require documented policies and procedures for day-to-day operations when handling PHI, managing employee conduct as it relates to PHI and managing the selection, development, and use of security and privacy controls. For instance, administrative safeguards require written procedures that cover access to PHI and associated controls, audit controls and data integrity controls.
  • Physical safeguards: HIPAA physical safeguards comprise a series of security measures designed to protect the environment in which systems containing ePHI reside—including buildings and equipment—from natural and environmental hazards, as well as unauthorized intrusion. Physical safeguards include access controls, workstation controls, and data and media controls.
  • Technical safeguards: The technical safeguards mandated by HIPAA include security measures that specify how to use technology to protect and control access to ePHI. For example, technical safeguards lay out requirements for workforce security and information access.

How IBM Can Help Build and Support Your Security Framework

IBM Security solutions offer a broad portfolio that can help you address the HIPAA Security Rule requirements and help you incorporate the NIST framework and other frameworks. In doing so, we can help you meet your more comprehensive HIPAA compliance goals and objectives of enhancing cost efficiency and simplifying management to help you avoid perceived gaps in coverage as threats evolve and change. For organizations with more mature security strategies and more complex and demanding protection needs, IBM Security solutions provide a broad set of controls and integrated actions designed to support various risk profiles.

This is a summary showing where IBM offers solutions related to specific HIPAA standards. For a more detailed listing, please see the appendix.

Why IBM

HIPAA can present healthcare organizations with several challenges where information security is concerned. And while the HIPAA Security Rule requirements offer covered entities considerable flexibility regarding the ways in which to meet requirements, it can be challenging to determine which path to compliance is the optimal one for your organization.

IBM offers a broad set of solutions and services designed to help your organization develop and implement the more comprehensive HIPAA security compliance strategies your organization needs to reach its goals. Within that context, we deliver leading technology and an experienced practice intended to consider your unique account situation.

When you collaborate with IBM, you gain access to a security team of 8,000 people supporting more than 12,000 customers in 133 countries. As a proven leader in enterprise security, we hold more than 3,500 security patents. And with an approach that includes advanced cognitive computing, we enable organizations like yours to continue to innovate while mitigating risk. So you can continue to grow your business while using processes designed to secure your most critical data and processes.


Protect Your Business >

Our team is committed to your healthcare institution's cybersecurity.