Under the HIPAA Security rule and “Meaningful Use” requirements, all electronic -Protected Health Information (ePHI) created, received, maintained or transmitted by a “Covered Entity” (CE) and/or “Business Associate” serving a covered entity is subject to the Security Rule. If we assume that information technology powers modern health care, then it stores or disseminates virtually everything an entity might know about a patient. Thus ePHI security and privacy is fundamental and paramount to meeting your compliance obligation under federal law.
The Security Rule requires entities to evaluate risks and vulnerabilities in their technology environments and to implement reasonable and appropriate security measures to protect ePHI. In short, an information technology risk analysis is the fundamental security cornerstone the department of Health and Human Services (HHS) expects covered entities (CEs) to meet.