HIPAA Principles

1008 Words5 Pages

Main principles of the HIPAA rules:
1. Rules protect the interests of so-called “protected health information” (PHI), particularly data that helps to identify certain person.
2. The main goal of the HIPAA rules is detection and prevention of such circumstances that entail theft or disclosure of personal PHI. As a rule, health care organizations are not allowed to use or disclose PHI, with few exceptions.
3. Health care organizations must provide an access to PHI to a patient or his representative and data about all information releases on demand of other organizations or persons.
The HIPAA rules also describe in detail terms and circumstances, under that health care organization is allowed to use or disclose PHI without patient’s permission. …show more content…

This model is based on assigning security labels called security clearances to all object and users according to the specified classification. Thus, it enables a user read the objects which have the same label or smaller. For example, if considering the following classification of security levels: Unclassified – Confidential – Secret – Top Secret (each level dominates the previous), the user possessing a label “Secret” is not able to access the information labeled as “Top Secret” [1]. The information flow from dominating level to lower level is regulated by the “Read down” and “Write up” principles. The integrity of information is also regulated by the two principles “Read up” and “Write down” …show more content…

The matter is that it is quite subjective issue, because the same medical information might belong to different security levels for different patients.
Role based access control
Role based access control model assigns to each user of a system a particular role, which contains a set of permissions and rights. It does not mean that every user has an individual role and an access rights, because one role might be assigned to a lot of users. Roles are assigned in accordance with user’s post, responsibilities and capabilities. RBAC focuses not only on accessible data, but also on whom an access is granted [3].
Role based access control enables security administrator to easily manage dynamically changing privacy rules. As the permissions are not assigned to the user directly and just inherited through the role, it simplifies such operations as adding a new user or user’s relocation in organization.
Performance of composite operations is a considerable advantage of RBAC model compared to DAC and MAC models where only atomic operations are possible. For instance, RBAC enables to make a record “blood sugar level test”, enter a diagnosis, treatment, prescription etc.