The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
The Security Rule is made up of 3 parts.
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
All 3 parts include implementation specifications. Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. (see the HHS answer)
It is important to remember that an addressable implementation specification is not optional. When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.
The Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to use specific technologies. The Security standards were designed to be “technology neutral.”
There are 5 standards listed under the Technical Safeguards section.
- Access Control
- Audit Controls
- Transmission Security
When you break down the 4 standards there are 10 things that you need to implement.
- Facility Access Controls – Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
- Facility Access Controls – Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
- Facility Access Controls – Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
- Facility Access Controls – Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
- Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
- Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
- Device and Media Controls – Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
- Device and Media Controls – Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
- Device and Media Controls – Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
- Device and Media Controls – Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.