Getting Started: The Impacts of Privacy and Security Under HIPAA - A Case Study

Late in 2002, a behavioral health agency realized that their use of a centralized electronic medical records (EMR) system and the requirements for HIPAA privacy had just accelerated their plans for security implementation. This paper is intended as a case study that can be applied in similar situations. It takes the reader through the entire problem-solving process, starting with a situation assessment of the Agency's information management and technology resources. Along the way, the demands of the final Security Rule are explored and how they factor into the approach, touching on the intersections between it and the HIPAA Privacy Rule. The paper describes how the Agency established an on-going, cost-effective security program integrated with current Agency business practices.