2017 HIPAA Software

HIPAA Rules

Other Resources

Last updated


HIPAA Security Rule and Compliance

The HIPAA Security Rule addresses the privacy protection of electronic protected health information (PHI). Similar to the Privacy Rule, the Security Rule also deals with identifiable health information as defined by 18 HIPAA identifiers. The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited.

The HIPPA Security Rule adresses three aspects of security:

Administrative Safeguards - Assignment of a HIPPA security compliance team.

Physical Safeguards - Protection of electronic systems, equipment and data.

Technical Safeguards - Authentication & encryption used to control data access.

Covered entities need to perform a Risk Analysis and utilize Risk Management methodologies so vulnerabilities and possible risks can be reduced. Organizations should assign a security analyst or officer who is responsible or maintaining and enforcing the HIPAA standards within the organization.

Hardware, Software and Transmission Security
Organizations should have a hardware firewall in place. Transmission of personal information should be encrypted and comply with HIPAA rulings. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, firmware, operating systems and applications.


Disaster Backup and Recovery Plan Policies and Procedures should include a Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This includes keeping the business running, recovering lost data, testing of backup procedures and replacement of equipment.

Incident Response
Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond. The security officer for the organization along with management should evaluate the effects of any incidents. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies to prevent any further incidents.

Training of Workforce
Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.

Records and Information Access
Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.

Audit Methodss
Audit mechanisms should be in place for all hardware, software and data control.