Getting down with EPHI: The Security Rule 101
Getting down with EPHI: The Security Rule 101
It's common for college students to reach outside of their core curriculum and explore foundational courses that usually have the “101” designation, such as “Anthropology 101,” or “Psychology 101.” The Centers for Medicare & Medicaid Services (CMS) also offers a foundational guide, “Security 101 for Covered Entities,” the first in a series of seven papers, each focused on a specific topic related to the “Security Rule.”

The Security Rule sets the standards for ensuring that only those who should have access to electronic protected health information (EPHI) will actually have access. The Security Rule is based on the fundamental concepts of flexibility, scalability and technology neutrality. The Rule does not mandate any specific requirements for types of technology to implement, but allows a covered entity to use any security measures that are reasonable and appropriate to implement the standards and implementation specifications.

So, how does a covered entity determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization? Like any good student, you refer to your notes first. As it so happens, the aforementioned guide has many good notes scribbled in the margin. One such note states some of the factors involved in deciding what security measures to use:
  • The size, complexity and capabilities of the covered entity.
  • The covered entity's technical infrastructure, hardware, and software security capabilities.
  • The costs of security measures.
  • The probability and criticality of potential risks to EPHI.
As the current administration in the U.S. accelerates the goals of the National Health Information Infrastructure (NHII), protecting the confidentiality, integrity and availability of EPHI becomes even more critical. Fortunately, there is another sidenote in the same guide that gives some insight into how entities should prepare for the challenge:
“Security is not a one-time project, but rather an on-going, dynamic process that will
create new challenges as covered entities' organizations and technologies change.”
For many entities, this means that a large, complex, time-consuming solution is not the answer. The challenge of providing access to EPHI by authorized personnel should not be encumbered by the complexities of implementation. Once again, this reinforces the fundamentals of the Security Rule: flexibility, scalability, and technology neutrality (which is synonymous with today's heteregenous enterprises.)

In the “spirit” of the Security Rule, here is an example of a solution which provides the technical safeguards to implement access control and auditing for authorized use of EPHI:

Flexibility: A granular, policy-driven, privileged access control system that provides account access delegation and accountability to the original user, without disclosing passwords.

Scalability: Centralized control and management of policies and audit logs, with rapid deployment, ease of use and non-intrusive integration in entities ranging from regional health care providers to national health care clearinghouses.

Neutrality: Cross-platform, system-independent access control provides authorized users with rights and/or privileges to perform functions using information systems, applications, programs, or files while delegating the minimum necessary rights needed to perform job functions. Rights and/or privileges can be granted to authorized users dynamically, based on a set of access rules that the covered entity is required to implement.

When the time comes and you have graduated to new challenges and responsibilities in your health care organization, you can be confident that the foundations you implemented will continue to meet your on-going, dynamic needs.