HIPPA Compliance

The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).

The Security Rule is made up of 3 parts.

  1. Technical Safeguards
  2. Physical Safeguards
  3. Administrative Safeguards

All 3 parts include implementation specifications. Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. (see the HHS answer)

It is important to remember that an addressable implementation specification is not optional. When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.

Technical Safeguards

The Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to use specific technologies. The Security standards were designed to be “technology neutral.”

There are 5 standards listed under the Technical Safeguards section.

  1. Access Control
  2. Audit Controls
  3. Integrity
  4. Authentication
  5. Transmission Security

When you break down the 4 standards there are 10 things that you need to implement.

  1. Facility Access Controls – Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
  2. Facility Access Controls – Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  3. Facility Access Controls – Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  4. Facility Access Controls – Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
  5. Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
  6. Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
  7. Device and Media Controls – Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
  8. Device and Media Controls – Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
  9. Device and Media Controls – Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
  10. Device and Media Controls – Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

Latest Healthcare Law News

November 10, 2018 in Healthcare Law

Medicare Fraud Attorney Atlanta

Medicare Fraud Attorney Atlanta If you have been charged with medicare fraud, contact our office to discuss you options and rights. What is now considered the largest single instance of medicare fraud took place in Decatur, just outside of Atlanta. The U.S. Attorney is seeking charges related to doctors and…
Read More
November 10, 2018 in Healthcare Law

Atlanta Dentist Medicaid Fraud Attorney

Atlanta Dentist Medicaid Fraud Attorney If you have been arrested for Medicaid fraud in Atlanta, contact our office to understand your rights and options. A $1M fraud was just invested by the U.S. Attorney's office in October of this year. Dr. Oluwatoyin Solarin, who had offices in Doraville and Duluth,…
Read More
July 30, 2018 in Healthcare Law

Medical Necessity and RAC Audits

Medical Necessity and RAC Audits What is a medical necessity? According to a RAC Auditor (RA), it is something that is justifiably reasonable and necessary according to evidence-based clinical standards of care. According to who? Is this one-size fits all? How is this even possible? If you are not scratching…
Read More
July 30, 2018 in Healthcare Law

Red Flags In Physical Therapy RAC Audits

Reg Flags In Physical Therapy RAC Audits Even if you're not currently under a RAC Audit, you might be wondering just how to stay out of trouble or not be "flagged" for an audit.  As much as you might have heard about the random nature of an audit, experience tells…
Read More

Contact us

This field is for validation purposes and should be left unchanged.