HIPAA is a set of standards introduced by the U.S. Congress in 1996. The Act consists of rules governing protected health information (PHI) including Security, Privacy, Identifiers, and Transactions and Code Sets. The purpose of the HIPAA Security Rule is to promote the protection and privacy of sensitive PHI used within the healthcare industry by organizations called “covered entities.” As a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, both covered entities and business associates are now accountable to the HHS and individuals for appropriately safeguarding private patient information. ClearDATA signs business associates agreements with its clients.
The HIPAA Security Rule Standards and Implementation Specifications has four major sections, created to identify relevant security safeguards that help achieve compliance: 1) Physical; 2) Administrative; 3) Technical;and 4) Policies, Procedures and Documentation Requirements.
Organizations must implement reasonable and appropriate solutions and management policies and procedures to comply with HIPAA technical standards and implementation specifications. It”a important to perform a formal security risk assessment for each of the safeguards in the HIPAA Security Rule. Management’s decisions related to risk aversion and tolerance must be documented in the security risk assessment to identify potential compliance gaps. For further information regarding the assessments, ClearDATA provides security risk assessments through its subsidiary US Healthcare Compliance. For many organizations, it is difficult to determine how the Rule applies and navigating the type of technologies and processes that are needed to achieve compliance can be challenging. As part of the assessment, USHC provides a Remediation Roadmap to identify and manage the implementation and compliance of the standards.
Under the HIPAA Security Rule, implementation of standards is required, and implementation specifications are categorized as either “required” (R) or “addressable” (A). For required specifications, covered entities must implement the specifications as defined in the Security Rule. For addressable specifications, a covered entity must assess whether the implementation of the specification is reasonable and appropriate for its environment and the extent to which
it is appropriate to protect ePHI. Following the security risk assessment, the covered entity must either implement the addressable specification, or document why it would not be reasonable and appropriate to implement and identify alternative and/or compensating safeguards as reasonable and appropriate.
Following are the HIPAA Security Rule Standards and Implementation Specifications. We will work closely with you to ensure that your ePHI is secure and private. Please ensure that you are using the most current version of your browser or the table may not display correctly.
(R) = Required
(A) = Addressable
|164.308(a)(1)(i)||Security Management ProcessImplement policies and procedures to prevent, detect, contain
and correct security violations.
|164.308(a)(1)(ii)(A)||Risk Analysis (R)||Conduct an accurate and thorough assessment ofthe potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected health information
(ePHI) held by the covered entity.
|164.308(a)(1)(ii)(B)||Risk Management (R)||Implement security measures sufficient to reducerisks and vulnerabilities to a reasonable and appropriate level
to comply with § 164.306(a).
|164.308(a)(1)(ii)(C)||Sanction Policy (R)||Apply appropriate sanctions against workforcemembers who fail to comply with the security policies and procedures
of the covered entity.
|164.308(a)(1)(ii)(D)||Information System Activity Review (R)||Implement procedures to regularly review recordsof information system activity, such as audit logs, access reports,
and security incident tracking reports.
|164.308(a)(2)||Assigned Security Responsibility (R)
Implement policies and procedures for selection of and responsibilities
|Identify the security official whois responsible for the development and implementation of the
policies and procedures required by this subpart for the entity.
|164.308(a)(3)(i)||Workforce Security (R)
Implement policies and procedures to ensure that all members
of its workforce have appropriate access to ePHI, as provided
under paragraph (a)(4) of this section, and to prevent those
workforce members who do not have access under paragraph (a)(4)
of this section from obtaining access to ePHI.
|164.308(a)(3)(ii)(A)||Authorization and/or Supervision (A)||Implement procedures for the authorizationand/or supervision of workforce members who work with ePHI or
in locations where it might be accessed.
|164.308(a)(3)(ii)(B)||Workforce Clearance Procedure (A)||Implement procedures to determinethat the access of a workforce member to ePHI.|
|164.308(a)(3)(ii)(C)||Termination Procedures (A)||Implement procedures for terminatingaccess to ePHI when the employment of a workforce member ends
or as required by determinations made as specified in paragraph
(a)(3)(ii)(B) of this section.
|164.308(a)(4)(i)||Information Access Management (R)
Implement policies and procedures for authorizing access
to ePHI that are consistent with the applicable requirements
of subpart E of this part.
|164.308(a)(4)(ii)(A)||Isolating Health Care ClearinghouseFunction (R)||If a health care clearinghouse ispart of a larger organization, the clearinghouse must implement
policies and procedures that protect the ePHI of the clearinghouse
from unauthorized access by the larger organization.
|164.308(a)(4)(ii)(B)||Access Authorization (A)||Implement policies and procedures for grantingaccess to ePHI, for example, through access to a workstation,
transaction, program, process, or other mechanism.
|164.308(a)(4)(ii)(C)||Access Establishment and Modification (A)||Implement policies and procedures that, basedupon the entity’s access authorization policies, establish,
document, review, and modify a user’s right of access to a workstation,
transaction, program, or process.
|164.308(a)(5)(i)||Security Awareness and Training (R)
Implement a security awareness and training program for
all members of its workforce (including management).
|164.308(a)(5)(ii)(A)||Security Reminders (A)||Implement policies and procedures for periodicsecurity updates.|
|164.308(a)(5)(ii)(B)||Protection from Malicious Software(A)||Implement procedures for guardingagainst, detecting, and reporting malicious software.|
|164.308(a)(5)(ii)(C)||Log-in Monitoring (A)||Implement procedures for monitoring log-in attemptsand reporting discrepancies.|
|164.308(a)(5)(ii)(D)||Password Management (A)||Implement procedures for creating,changing, and safeguarding passwords.|
|164.308(a)(6)(i)||Security Incident Procedures (R)
Implement policies and procedures to address security incidents.
|164.308(a)(6)(ii)||Response and Reporting (R)||Identify and respond to suspected or known securityincidents; mitigate, to the extent practicable, harmful effects
of security incidents that are known to the covered entity;
and document security incidents and their outcomes.
|164.308(a)(7)(i)||Contingency Plan (R)
Establish (and implement as needed) policies and procedures
for responding to an emergency or other occurrence (for example,
fire, vandalism, system failure, and natural disaster) that
damages systems that contain ePHI.
|164.308(a)(7)(ii)(A)||Data Backup Plan (R)||Establish and implement proceduresto create and maintain retrievable exact copies of ePHI.|
|164.308(a)(7)(ii)(B)||Disaster Recovery Plan (R)||Establish (and implement as needed) proceduresto restore any loss of data.|
|164.308(a)(5)(ii)(C)||Emergency Mode Operation Plan (R)||Establish (and implement as needed)procedures to enable continuation of critical business processes
for protection of the security of ePHI while operating in emergency
|164.308(a)(7)(ii)(D)||Testing and Revision Procedure (A)||Implement procedures for periodic testing andrevision of contingency plans.|
|164.308(a)(7)(ii)(E)||Applications and Data Criticality Analysis (A)||Implement policies and procedures to assess therelative criticality of specific applications and data in support
of other contingency plan components.
Implement policies and procedures to perform a periodic
technical and non-technical evaluation, based initially upon
the standards implemented under this rule and subsequently,
in response to environmental or operational changes affecting
the security of ePHI, that establishes the extent to which an
entity’s security policies and procedures meet the requirements
of this subpart.
|164.308(b)(1)||Business Associate Contracts and Other Arrangements (R)
Implement policy to document rules for business associate
(BA) identification and process to assure compliance with assuring
compliance BA requirements.
|164.308(b)(4)||Written Contract or Other Arrangement(R)||Document the satisfactory assurancesrequired by paragraph (b)(1) of this section through a written
contract or other arrangement with the BA that meets the applicable
requirements of § 164.314(a).
|164.310(a)(1)||Facility Access Controls (R)
Implement policies and procedures to limit physical access
to its electronic information systems and the facility or facilities
in which they are housed, while ensuring that properly authorized
access is allowed.
|164.310(a)(2)(i)||Contingency Operations (A)||Establish (and implement as needed) proceduresthat allow facility access in support of restoration of lost
data under the disaster recovery plan and emergency mode operations
plan in the event of an emergency.
|164.310(a)(2)(ii)||Facility Security Plan (A)||Implement policies and procedures to safeguardthe facility and the equipment therein from unauthorized physical
access, tampering, and theft.
|164.310(a)(2)(iii)||Access Control and Validation Procedures (A)||Implement procedures to control and validate aperson’s access to facilities based on their role or function,
including visitor control, and control of access to software
programs for testing and revision.
|164.310(a)(2)(iv)||Maintenance Records (A)||Implement policies and procedures to documentrepairs and modifications to the physical components of a facility,
which are related to security (for example, hardware, walls,
doors, and locks).
|164.310(b)||Workstation Use (R)
Implement policies and procedures to ensure that workstations
and other computer systems that may be used to send, receive,
store or access ePHI are only used in a secure and legitimate
|Implement policies and proceduresthat specify the proper functions to be performed, the manner
in which those functions are to be performed, and the physical
attributes of the surroundings of a specific workstation or
class of workstation that can access ePHI.
|164.310(c)||Workstation Security (R)
Implement policies and procedures to ensure that all members
of the workforce have appropriate access to ePHI and to prevent
workforce members who do not have access from obtaining access
|Implement physical safeguards for all workstationsthat access ePHI, to restrict access to authorized users.|
|164.310(d)(1)||Device and Media Controls (R)
Implement policies and procedures that govern the receipt
and removal of hardware and electronic media that contain ePHI
into and out of a facility, and the movement of these items
within the facility.
|164.310(d)(2)(i)||Disposal (R)||Implement policies and proceduresto address the final disposition of ePHI, and/or the hardware
or electronic media on which it is stored.
|164.310(d)(2)(ii)||Media Re-Use (R)||Implement procedures for removalof ePHI from electronic media before the media are made available
|164.310(d)(2)(iii)||Accountability (A)||Implement procedures to maintain a record of themovements of hardware and electronic media and any person responsible
|164.310(d)(2)(iv)||Data Backup and Storage (A)||Implement policies and proceduresto create a retrievable, exact copy of ePHI, when needed, before
movement of equipment.
|164.312(a)(1)||Access Control (R)
Implement technical policies and procedures for electronic
information systems that maintain ePHI to allow access only
to those persons or software programs that have been granted
access rights as specified in Sec. 164.308(a)(4).
|164.312(a)(2)(i)||Unique User Identification (R)||Implement procedures to assign a unique name and/ornumber for identifying and tracking user identity.|
|164.312(a)(2)(ii)||Emergency Access Procedure (R)||Establish (and implement as needed)procedures for obtaining necessary ePHI during an emergency.|
|164.312(a)(2)(iii)||Automatic Logoff (A)||Implement electronic procedures that terminatean electronic session after a predetermined time of inactivity.|
|164.312(a)(2)(iv)||Encryption and Decryption (A)||Implement procedures to describe amechanism to encrypt and decrypt ePHI.|
|164.312(b)||Audit Controls (R)
Implement hardware, software, and/or procedural mechanisms
that record and examine activity in information systems that
contain or use ePHI.
|164.312(c)(2)||Mechanism to Authenticate ElectronicPHI (A)||Implement electronic mechanisms tocorroborate that ePHI has not been altered or destroyed in an
|164.312(d)||Person or Entity Authentication (R)
Implement procedures to verify that a person or entity seeking
access to ePHI is the one claimed.
|164.312(e)(1)||Transmission Security (R)
Implement technical security policies and procedures measures
to guard against unauthorized access to ePHI that is being transmitted
over an electronic communications network.
|164.312(e)(2)(i)||Integrity Controls (A)||An implement security measure to ensurethat electronically transmitted ePHI is not improperly modified
without detection until disposed of.
|164.312(e)(2)(ii)||Encryption (A)||Implement a mechanism to encrypt ePHIwhenever deemed appropriate.|
& Procedures and Documentation Requirements
|164.316(a)||Policies and Procedures (R)||Implement reasonable and appropriate policiesand procedures to comply with the standards, implementation
specifications, or other requirements of this subpart, taking
into account those factors specified in Sec. 164.306(b)(2)(i),
(ii), (iii), and (iv). This standard is not to be construed
to permit or excuse an action that violates any other standard,
implementation specification, or other requirements of this
subpart. A covered entity may change its policies and procedures
at any time, provided that the changes are documented and are
implemented in accordance with this subpart.
|164.316(b)(1)(i)||Maintain the policies and procedures implementedto comply with this subpart in written (which may be electronic)
|164.316(b)(1)(ii)||If an action, activity or assessment is requiredby this subpart to be documented, maintain a written (which
may be electronic) record of the action, activity, or assessment
|164.316(b)(2)(i)||Time Limit (R)||Retain the documentation required by paragraph(b)(1) of this section for 6 years from the date of its creation
or the date when it last was in effect, whichever is later.
|164.316(b)(2)(ii)||Availability (R)||Make documentation available to those personsresponsible for implementing the procedures to which the documentation
|164.316(b)(2)(iii)||Updates (R)||Review documentation periodically, and updateas needed, in response to environmental or operational changes
affecting the security of the ePHI.