HIPAA Security Rule Standards and Implementation Specifications

HIPAA is a set of standards introduced by the U.S. Congress in 1996. The Act consists of rules governing protected health information (PHI) including Security, Privacy, Identifiers, and Transactions and Code Sets. The purpose of the HIPAA Security Rule is to promote the protection and privacy of sensitive PHI used within the healthcare industry by organizations called “covered entities.” As a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, both covered entities and business associates are now accountable to the HHS and individuals for appropriately safeguarding private patient information. ClearDATA signs business associates agreements with its clients.

The HIPAA Security Rule Standards and Implementation Specifications has four major sections, created to identify relevant security safeguards that help achieve compliance: 1) Physical; 2) Administrative; 3) Technical;and 4) Policies, Procedures and Documentation Requirements.

Organizations must implement reasonable and appropriate solutions and management policies and procedures to comply with HIPAA technical standards and implementation specifications. It”a important to perform a formal security risk assessment for each of the safeguards in the HIPAA Security Rule. Management’s decisions related to risk aversion and tolerance must be documented in the security risk assessment to identify potential compliance gaps. For further information regarding the assessments, ClearDATA provides security risk assessments through its subsidiary US Healthcare Compliance. For many organizations, it is difficult to determine how the Rule applies and navigating the type of technologies and processes that are needed to achieve compliance can be challenging. As part of the assessment, USHC provides a Remediation Roadmap to identify and manage the implementation and compliance of the standards.

Under the HIPAA Security Rule, implementation of standards is required, and implementation specifications are categorized as either “required” (R) or “addressable” (A). For required specifications, covered entities must implement the specifications as defined in the Security Rule. For addressable specifications, a covered entity must assess whether the implementation of the specification is reasonable and appropriate for its environment and the extent to which
it is appropriate to protect ePHI. Following the security risk assessment, the covered entity must either implement the addressable specification, or document why it would not be reasonable and appropriate to implement and identify alternative and/or compensating safeguards as reasonable and appropriate.

Following are the HIPAA Security Rule Standards and Implementation Specifications. We will work closely with you to ensure that your ePHI is secure and private. Please ensure that you are using the most current version of your browser or the table may not display correctly.



(R) = Required

(A) = Addressable






164.308(a)(1)(i) Security Management ProcessImplement policies and procedures to prevent, detect, contain

and correct security violations.

164.308(a)(1)(ii)(A) Risk Analysis (R) Conduct an accurate and thorough assessment ofthe potential risks and vulnerabilities to the confidentiality,

integrity, and availability of electronic protected health information

(ePHI) held by the covered entity.

164.308(a)(1)(ii)(B) Risk Management (R) Implement security measures sufficient to reducerisks and vulnerabilities to a reasonable and appropriate level

to comply with § 164.306(a).

164.308(a)(1)(ii)(C) Sanction Policy (R) Apply appropriate sanctions against workforcemembers who fail to comply with the security policies and procedures

of the covered entity.

164.308(a)(1)(ii)(D) Information System Activity Review (R) Implement procedures to regularly review recordsof information system activity, such as audit logs, access reports,

and security incident tracking reports.

164.308(a)(2) Assigned Security Responsibility (R)

Implement policies and procedures for selection of and responsibilities

for position.

Identify the security official whois responsible for the development and implementation of the

policies and procedures required by this subpart for the entity.

164.308(a)(3)(i) Workforce Security (R)
Implement policies and procedures to ensure that all members

of its workforce have appropriate access to ePHI, as provided

under paragraph (a)(4) of this section, and to prevent those

workforce members who do not have access under paragraph (a)(4)

of this section from obtaining access to ePHI.

164.308(a)(3)(ii)(A) Authorization and/or Supervision (A) Implement procedures for the authorizationand/or supervision of workforce members who work with ePHI or

in locations where it might be accessed.

164.308(a)(3)(ii)(B) Workforce Clearance Procedure (A) Implement procedures to determinethat the access of a workforce member to ePHI.
164.308(a)(3)(ii)(C) Termination Procedures (A) Implement procedures for terminatingaccess to ePHI when the employment of a workforce member ends

or as required by determinations made as specified in paragraph

(a)(3)(ii)(B) of this section.

164.308(a)(4)(i) Information Access Management (R)

Implement policies and procedures for authorizing access

to ePHI that are consistent with the applicable requirements

of subpart E of this part.

164.308(a)(4)(ii)(A) Isolating Health Care ClearinghouseFunction (R) If a health care clearinghouse ispart of a larger organization, the clearinghouse must implement

policies and procedures that protect the ePHI of the clearinghouse

from unauthorized access by the larger organization.

164.308(a)(4)(ii)(B) Access Authorization (A) Implement policies and procedures for grantingaccess to ePHI, for example, through access to a workstation,

transaction, program, process, or other mechanism.

164.308(a)(4)(ii)(C) Access Establishment and Modification (A) Implement policies and procedures that, basedupon the entity’s access authorization policies, establish,

document, review, and modify a user’s right of access to a workstation,

transaction, program, or process.

164.308(a)(5)(i) Security Awareness and Training (R)

Implement a security awareness and training program for

all members of its workforce (including management).

164.308(a)(5)(ii)(A) Security Reminders (A) Implement policies and procedures for periodicsecurity updates.
164.308(a)(5)(ii)(B) Protection from Malicious Software(A) Implement procedures for guardingagainst, detecting, and reporting malicious software.
164.308(a)(5)(ii)(C) Log-in Monitoring (A) Implement procedures for monitoring log-in attemptsand reporting discrepancies.
164.308(a)(5)(ii)(D) Password Management (A) Implement procedures for creating,changing, and safeguarding passwords.
164.308(a)(6)(i) Security Incident Procedures (R)
Implement policies and procedures to address security incidents.
164.308(a)(6)(ii) Response and Reporting (R) Identify and respond to suspected or known securityincidents; mitigate, to the extent practicable, harmful effects

of security incidents that are known to the covered entity;

and document security incidents and their outcomes.

164.308(a)(7)(i) Contingency Plan (R)
Establish (and implement as needed) policies and procedures

for responding to an emergency or other occurrence (for example,

fire, vandalism, system failure, and natural disaster) that

damages systems that contain ePHI.

164.308(a)(7)(ii)(A) Data Backup Plan (R) Establish and implement proceduresto create and maintain retrievable exact copies of ePHI.
164.308(a)(7)(ii)(B) Disaster Recovery Plan (R) Establish (and implement as needed) proceduresto restore any loss of data.
164.308(a)(5)(ii)(C) Emergency Mode Operation Plan (R) Establish (and implement as needed)procedures to enable continuation of critical business processes

for protection of the security of ePHI while operating in emergency


164.308(a)(7)(ii)(D) Testing and Revision Procedure (A) Implement procedures for periodic testing andrevision of contingency plans.
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis (A) Implement policies and procedures to assess therelative criticality of specific applications and data in support

of other contingency plan components.

164.308(a)(8) Evaluation (R)
Implement policies and procedures to perform a periodic

technical and non-technical evaluation, based initially upon

the standards implemented under this rule and subsequently,

in response to environmental or operational changes affecting

the security of ePHI, that establishes the extent to which an

entity’s security policies and procedures meet the requirements

of this subpart.

164.308(b)(1) Business Associate Contracts and Other Arrangements (R)

Implement policy to document rules for business associate

(BA) identification and process to assure compliance with assuring

compliance BA requirements.

164.308(b)(4) Written Contract or Other Arrangement(R) Document the satisfactory assurancesrequired by paragraph (b)(1) of this section through a written

contract or other arrangement with the BA that meets the applicable

requirements of § 164.314(a).



164.310(a)(1) Facility Access Controls (R)
Implement policies and procedures to limit physical access

to its electronic information systems and the facility or facilities

in which they are housed, while ensuring that properly authorized

access is allowed.

164.310(a)(2)(i) Contingency Operations (A) Establish (and implement as needed) proceduresthat allow facility access in support of restoration of lost

data under the disaster recovery plan and emergency mode operations

plan in the event of an emergency.

164.310(a)(2)(ii) Facility Security Plan (A) Implement policies and procedures to safeguardthe facility and the equipment therein from unauthorized physical

access, tampering, and theft.

164.310(a)(2)(iii) Access Control and Validation Procedures (A) Implement procedures to control and validate aperson’s access to facilities based on their role or function,

including visitor control, and control of access to software

programs for testing and revision.

164.310(a)(2)(iv) Maintenance Records (A) Implement policies and procedures to documentrepairs and modifications to the physical components of a facility,

which are related to security (for example, hardware, walls,

doors, and locks).

164.310(b) Workstation Use (R)
Implement policies and procedures to ensure that workstations

and other computer systems that may be used to send, receive,

store or access ePHI are only used in a secure and legitimate


Implement policies and proceduresthat specify the proper functions to be performed, the manner

in which those functions are to be performed, and the physical

attributes of the surroundings of a specific workstation or

class of workstation that can access ePHI.

164.310(c) Workstation Security (R)
Implement policies and procedures to ensure that all members

of the workforce have appropriate access to ePHI and to prevent

workforce members who do not have access from obtaining access

to ePHI.

Implement physical safeguards for all workstationsthat access ePHI, to restrict access to authorized users.
164.310(d)(1) Device and Media Controls (R)
Implement policies and procedures that govern the receipt

and removal of hardware and electronic media that contain ePHI

into and out of a facility, and the movement of these items

within the facility.

164.310(d)(2)(i) Disposal (R) Implement policies and proceduresto address the final disposition of ePHI, and/or the hardware

or electronic media on which it is stored.

164.310(d)(2)(ii) Media Re-Use (R) Implement procedures for removalof ePHI from electronic media before the media are made available

for re-use.

164.310(d)(2)(iii) Accountability (A) Implement procedures to maintain a record of themovements of hardware and electronic media and any person responsible


164.310(d)(2)(iv) Data Backup and Storage (A) Implement policies and proceduresto create a retrievable, exact copy of ePHI, when needed, before

movement of equipment.



164.312(a)(1) Access Control (R)
Implement technical policies and procedures for electronic

information systems that maintain ePHI to allow access only

to those persons or software programs that have been granted

access rights as specified in Sec. 164.308(a)(4).

164.312(a)(2)(i) Unique User Identification (R) Implement procedures to assign a unique name and/ornumber for identifying and tracking user identity.
164.312(a)(2)(ii) Emergency Access Procedure (R) Establish (and implement as needed)procedures for obtaining necessary ePHI during an emergency.
164.312(a)(2)(iii) Automatic Logoff (A) Implement electronic procedures that terminatean electronic session after a predetermined time of inactivity.
164.312(a)(2)(iv) Encryption and Decryption (A) Implement procedures to describe amechanism to encrypt and decrypt ePHI.
164.312(b) Audit Controls (R)
Implement hardware, software, and/or procedural mechanisms

that record and examine activity in information systems that

contain or use ePHI.

164.312(c)(1) Integrity (R)
164.312(c)(2) Mechanism to Authenticate ElectronicPHI (A) Implement electronic mechanisms tocorroborate that ePHI has not been altered or destroyed in an

unauthorized manner.

164.312(d) Person or Entity Authentication (R)

Implement procedures to verify that a person or entity seeking

access to ePHI is the one claimed.

164.312(e)(1) Transmission Security (R)
Implement technical security policies and procedures measures

to guard against unauthorized access to ePHI that is being transmitted

over an electronic communications network.

164.312(e)(2)(i) Integrity Controls (A) An implement security measure to ensurethat electronically transmitted ePHI is not improperly modified

without detection until disposed of.

164.312(e)(2)(ii) Encryption (A) Implement a mechanism to encrypt ePHIwhenever deemed appropriate.


& Procedures and Documentation Requirements

164.316(a) Policies and Procedures (R) Implement reasonable and appropriate policiesand procedures to comply with the standards, implementation

specifications, or other requirements of this subpart, taking

into account those factors specified in Sec. 164.306(b)(2)(i),

(ii), (iii), and (iv). This standard is not to be construed

to permit or excuse an action that violates any other standard,

implementation specification, or other requirements of this

subpart. A covered entity may change its policies and procedures

at any time, provided that the changes are documented and are

implemented in accordance with this subpart.

164.316(b)(1) Documentation
164.316(b)(1)(i) Maintain the policies and procedures implementedto comply with this subpart in written (which may be electronic)

form (R)

164.316(b)(1)(ii) If an action, activity or assessment is requiredby this subpart to be documented, maintain a written (which

may be electronic) record of the action, activity, or assessment


164.316(b)(2)(i) Time Limit (R) Retain the documentation required by paragraph(b)(1) of this section for 6 years from the date of its creation

or the date when it last was in effect, whichever is later.

164.316(b)(2)(ii) Availability (R) Make documentation available to those personsresponsible for implementing the procedures to which the documentation


164.316(b)(2)(iii) Updates (R) Review documentation periodically, and updateas needed, in response to environmental or operational changes

affecting the security of the ePHI.