Speaker 1: Hello, and welcome to my channel. On February 16, 2024, the HHS Office for Civil Rights and the National Institute of Standards and Technology published the final version of Special Publication 800-66, implementing the HIPAA Security Rule. The publication provides an overview of the HIPAA Security Rule, strategies for assessing and managing risk to electronic protected health information, suggestions for cybersecurity measures, and resources for implementing the Security Rule. I am Bill Ossolinsky, a Certified Information Systems Security Professional with 30 years of experience. The HIPAA Security Rule applies to the following organizations. Number one, covered health care providers. Any provider of medical or other health services or supplies who transmits any health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard. Number two, health plans. Any individual or group plan that provides or pays the cost of medical care. Number three, health care clearinghouses. A public or private entity that processes another entity's health care transactions from a standard format to a non-standard format, or vice versa. And number four, business associates. A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to a covered entity. A business associate is liable for their own HIPAA violations. The goals and objectives of the HIPAA Security Rule are as follows. Number one, ensure the confidentiality, integrity, and availability of all electronic protected health information that it creates, receives, maintains, or transmits. Number two, protect against any reasonably anticipated threats and hazards to the security or integrity of electronic protected health information. Number three, protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule. And number four, ensure compliance with the Security Rule by its workforce. The HIPAA Security Rule is organized into six sections. Number one, Security Standards General Rules, includes the general requirements that all regulated entities must meet, establishes flexibility of approach, identifies standards and implementation specifications, both required and addressable, outlines decisions that a regulated entity must make regarding addressable implementation specifications, and requires the maintenance of security measures to continue reasonable and appropriate protection of electronic protected health information. Number two, Administrative Safeguards. Defined in the Security Rule as the administrative actions and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information. Number three, Physical Safeguards. Defines as the physical measures, policies, and procedures to protect the covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Number four, Technical Safeguards. Defined as the technology and the policy and procedures for its use to protect electronic protected health information and control access to it. Number five, Organizational Requirements. Includes standards for business associate contracts and other agreements between a covered entity and a business associate, and between a business associate and a subcontractor, as well as requirements for group health plans. Number six, Policies and Procedures and Documentation Requirements. Requires the implementation of reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the Security Rule. The maintenance of written documentation under records that includes the policies, procedures, actions, activities, or assessments required by the Security Rule, and retention, availability, and update requirements related to that documentation. Compliance. A regulated entity is required to comply with all the standards of the Security Rule with respect to its electronic protected health information. Many of the standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach that regulated entities can use to meet a particular standard. Implementation specifications are either required or addressable. However, regardless of whether a standard includes implementation specifications, regulated entities must comply with each standard. The following are the required administrative safeguards. Risk Analysis. Risk Management. Sanction Policy. Information System Activity Review. Assigned Security Responsibility. Isolating Healthcare and Clearinghouse Functions. Security Incident Response and Reporting. Data Backup Plan. Data Recovery Plan. Emergency Mode Operating Plan. And Written Business Associate Contracts. The following are the required physical safeguards. Workstation Use, Workstation Security, Media Reuse, and Media Disposal. The following are the required technical safeguards. Unique User Identification, Emergency Access Procedure, Audit Controls, and Person or Entity Authentication. That's all for this presentation. If you found this video helpful, please like and subscribe to my channel. And thank you for watching.