Common safeguards policies can be formalized through a business associate agreement, data sharing agreement, or any other contract mechanism, and may include enforcement mechanisms and penalties for breaches and violations. An HIO also may establish and centrally control the exchange network, network equipment, and exchange conduits so that the exchange process itself is protected by a single set of safeguards and security mechanisms.
The HIPAA Security Rule requires the implementation of three types of safeguards:
- Administrative
- Physical
- Technical
In addition, it imposes other organizational requirements and a need to document processes analogous to the HIPAA Privacy Rule. That said, creating the necessary HIPAA Security Rule documentation will likely prove significantly more “vexing” than its Privacy Rule counterpart, especially for small providers xv.