Client Access
techcomply twitter
techcomply linkedin
techcomply rss feed
techcomply llc

Technology Compliance Experts

HIPAA Safeguards

Administrative Safeguards

Risk analysis – Assessment of all risk and vulnerabilities of electronic protected health information

HIPAA § 164.308(a)(1)(ii)(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Risk management

HIPAA § 164.308(a)(1)(ii)(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).

HIPAA § 164.306(a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.

Information system activity review

HIPAA § 164.308(a)(1)(ii)(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Assigned security responsibility

HIPAA § 164.308(a)(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.

Information access restriction requirements and controls

HIPAA § 164.308 (a)(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

HIPAA § 164.308 (a)(3)(ii) (A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

HIPAA § 164.308 (a)(3)(ii)(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

HIPAA § 164.308 (a)(4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

HIPAA § 164.308 (a)(4)(ii)(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Security awareness and training

HIPAA § 164.308 (a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

HIPAA § 164.308 (a)(5)(ii)(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

HIPAA § 164.308 (a)(5)(ii)(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

HIPAA § 164.308 (a)(5)(ii)(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

Contingency plan in emergency or other occurrence

HIPAA § 164.308 (a)(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

HIPAA § 164.308 (a)(7)(ii)(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

HIPAA § 164.308 (a)(7)(ii)(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

HIPAA § 164.308 (a)(7)(ii)(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

HIPAA § 164.308 (a)(7)(ii)(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

HIPAA § 164.308 (a)(7)(ii)(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

Documentation of periodic technical and nontechnical evaluations

HIPAA § 164.308 (a)(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

Business associate contract

HIPAA § 164.308 (b)(1) Standard: Business associate contracts and other arrangements. A covered entity, in accordance with 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) that the business associate will appropriately safeguard the information.

HIPAA § 164.308 (b)(4) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164.314(a).

Administrative safeguards are administrative actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.

administrative-safeguards
Download PDF

Physical Safeguards

Physical access controls

HIPAA § 164.310 (a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

HIPAA § 164.310 (a)(2)(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Policies and procedures for workstation security

HIPAA § 164.310 (b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Proper usage, storage, and disposal of data storage devices

HIPAA § 164.310 (d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

HIPAA § 164.310 (d)(2)(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

HIPAA § 164.310 (d)(2)(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

HIPAA § 164.310 (d)(2) (iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

physical-safeguards
Download PDF

Technical Safeguards

Implementation of technology to ensure electronic protected healthcare information (PHI) confidentiality, integrity, and availability

HIPAA § 164.312 (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

HIPAA § 164.312 (a)(2)(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

HIPAA § 164.312 (a)(2)(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

HIPAA § 164.312 (a)(2)(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

HIPAA § 164.312 (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Transmission security

HIPAA § 164.312 (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

HIPAA § 164.312 (e)(2)(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

HIPAA § 164.312 (e)(2) (ii) Encryption (Addressable). Implement mechanism to encrypt electronic protected health information whenever deemed appropriate.

Use of encryption and devices and tools

HIPAA § 164.312 (a)(2)(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Audits and monitoring

HIPAA § 164.312 (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

technical-safeguards
Download PDF

Source: HHS.gov

Qualify for an Audit
Home
Twitter
LinkedIn
Facebook
Services
Legal Compliance & Security
Hardware & Software
EMR Selection Services
Training & Support
Case Studies
Frequently Asked Questions
HIPAA Safeguards
Resources
Business Associate Contract
Company
Compliance Blog
Custom Software Design
Compliant Cloud Computing
Contact Us
Disclaimer

© 2011-2012 TechComply LLC. All Rights Reserved.

hipaa technology

You are viewing the text version of this site.

To view the full version please install the Adobe Flash Player and ensure your web browser has JavaScript enabled.

Need help? check the requirements page.


Get Flash Player