⚕ HIPAA 101

• Privacy Rule
• Security Rule
• Transactions Rule
• Identifiers Rule
• Enforcement Rule
• Breach Notification Rule
• Final Omnibus Rule

• Training Software
• Risk Management Software
• Data Security Software
• EHR Software

• HIPAA FAQ
• HIPAA PHI Lifecycle
• HIPAA Hosting
• HIPAA State Laws
• HIPAA Glossary
• HIPAA Misspellings

HIPAA Security Rule - CFR 45 Part 164

The HIPAA Security Rule addresses the protection of protected health information (PHI). Similar to the Privacy Rule, the Security Rule also deals with identifiable health information, and defines the defines standards, procedures and methods for protecting data with attention to how PHI is stored, accessed, and transmitted to maximize protection.

The HIPPA Security Rule adresses 3 types of security - Administrative, Physical, Technical. In the following, R are required elements and A are addressable (best practice; strongly recommended) elements:

1. Administrative Safeguards

Administrative safeguards (Subpart 164.308) focus on the assignment of a HIPPA security compliance team.

Security Management Process 164.308(a)(1)
☑ Risk Analysis (R)
☑ Risk Management (R)
☑ Sanction Policy (R)
☑ Information System Activity Review (R)

Assigned Security Responsibility 164.308(a)(2)
☑ Assigned Security Responsibility (R)

Workforce Security 164.308(a)(3)
☐ Authorization and/or Supervision (A)
☐ Workforce Clearance Procedure
☐ Termination Procedures (A)

Information Access Management 164.308(a)(4)
☑ Isolating Health care Clearinghouse Function (R)
☐ Access Authorization (A)
☐ Access Establishment and Modification (A)

Security Awareness and Training 164.308(a)(5)
☐ Security Reminders (A)
☐ Protection from Malicious Software (A)
☐ Log-in Monitoring (A)
☐ Password Management (A)

Security Incident Procedures 164.308(a)(6)
☑ Response and Reporting (R)

Contingency Plan 164.308(a)(7)
☑ Data Backup Plan (R)
☑ Disaster Recovery Plan (R)
☑ Emergency Mode Operation Plan (R)
☐ Testing and Revision Procedure (A)
☐ Applications and Data Criticality Analysis (A)

Evaluation 164.308(a)(8)
☑ Evaluation (R)

Business Associate Contracts and Other Arrangement 164.308(b)(1)
☑ Written Contract or Other Arrangement (R)

---

2. Physical Safeguards

HIPAA physical safeguards (Subpart 164.310) deal with the physical protection of electronic systems and equipment.

Facility Access Controls - 164.310(a)(1)
☐ Contingency Operations (A)
☐ Facility Security Plan (A)
☐ Access Control and Validation Procedures (A)
☐ Maintenance Records (A)

Workstation Use 164.310(b)
☑ Workstation Use (R)

Workstation Security 164.310(c
☑ Workstation Security (R)

Device and Media Controls - 164.310(d)(1)
☑ Disposal (R)
☑ Media Re-use (R)
☐ Accountability (A)
☐ Data Backup and Storage (A)

---

3. Technical Safeguards

HIPAA technical safeguards (Subpart 164.312) focus on authentication, encryption, and other methods to control access to ePHI data.

Access Control - 164.312(a)(1)
☑ Unique User Identification (R)
☑ Emergency Access Procedure (R)
☐ Automatic Logoff (A)
☐ Encryption and Decryption (A)

Audit Controls - 164.312(b)
☑ Audit Controls (R)

Integrity 164.312(c)(1)
☐ Mechanism to Authenticate Electronic Protected Health Information (A)

Person or Entity Authentication 164.312(d)
☑ Person or Entity Authentication (R)

Transmission Security 164.312(e)(1)
☐ Integrity Controls (A)
☐ Encryption (A)

More Information

Hardware, Software and Transmission Security
Organizations should have a hardware firewall in place. Transmission of personal information should be encrypted and comply with HIPAA rulings. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, firmware, operating systems and applications.

Disaster Backup and Recovery Plan Policies and Procedures should include a Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This includes keeping the business running, recovering lost data, testing of backup procedures and replacement of equipment.

Incident Response
Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond. The security officer for the organization along with management should evaluate the effects of any incidents. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies to prevent any further incidents.

Training of Workforce
Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.

Records and Information Access
Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.

Audit Methods
Audit mechanisms should be in place for all hardware, software and data control.