HIPAA Security Rule Standards and Implementation Specifications
by Chris Bowen
Chief Privacy & Security Officer and Founder
What is the HIPAA Security Rule?
HIPAA is a set of standards introduced by the U.S. Congress in 1996. The Act consists of rules governing protected health information (PHI) including Security, Privacy, Identifiers, and Transactions and Code Sets. The purpose of the HIPAA Security Rule is to promote the protection and privacy of sensitive PHI used within the healthcare industry by organizations called "covered entities." As a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, both covered entities and business associates are now accountable to the HHS and individuals for appropriately safeguarding private patient information. ClearDATA signs business associates agreements with its clients.
The HIPAA Security Rule Standards and Implementation Specifications has four major sections, created to identify relevant security safeguards that help achieve compliance: 1) Physical; 2) Administrative; 3) Technical, and 4) Policies, Procedures, and Documentation Requirements.
Organizations must implement reasonable and appropriate controls and management policies and procedures to comply with all HIPAA administrative, physical, and technical safeguards. Understanding these controls is part of the required Risk Assessment that all organizations must perform on a regular basis under HIPAA, as well as MACRA. For the latter, failure to have a Risk Assessment can reduce your Medicare reimbursement funding by 9% or more.
Although conducting yearly security risk assessments may seem like a hassle, the cost of failing to conduct them, and therefore failing to remediate risks, is much worse. ClearDATA provides a comprehensive, audit-ready Security Risk Assessment (SRA) report with findings that include detailed vulnerabilities and remediation recommendations. Our HIPAA risk assessment tool provides you with a concise and unbiased analysis of your organization’s compliance and security with all 20 Security Standards and more than 60 Safeguard Criteria.
ClearDATA is the trusted advisor to healthcare and life sciences organizations. The ClearDATA Professional Services team can offer insights and discuss lessons learned working with healthcare enterprises on their digital transformation and cloud journeys.
Under the HIPAA Security Rule, implementation of standards is required, and implementation specifications are categorized as either "required" (R) or "addressable" (A). For required specifications, covered entities must implement the specifications as defined in the Security Rule. For addressable specifications, a covered entity must assess whether the implementation of the specification is reasonable and appropriate for its environment and the extent to which it is appropriate to protect ePHI. Following the security risk assessment, the covered entity must either implement the addressable specification, or document why it would not be reasonable and appropriate to implement and identify alternative and/or compensating safeguards as reasonable and appropriate.
Following are the HIPAA Security Rule Standards and Implementation Specifications. We will work closely with you to ensure that your ePHI is secure and private. Please ensure that you are using the most current version of your browser or the table may not display correctly.
(R) = Required
(A) = Addressable
|164.308(a)(1)(i)||Security Management Process
Implement policies and procedures to prevent, detect, contain and correct security violations.
|164.308(a)(1)(ii)(A)||Risk Analysis (R)||Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.|
|164.308(a)(1)(ii)(B)||Risk Management (R)||Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).|
|164.308(a)(1)(ii)(C)||Sanction Policy (R)||Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.|
|164.308(a)(1)(ii)(D)||Information System Activity Review (R)||Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.|
|164.308(a)(2)||Assigned Security Responsibility
(R)Implement policies and procedures for selection of and responsibilities for position.
|Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.|
|164.308(a)(3)(i)||Workforce Security (R)
Implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4)of this section from obtaining access to ePHI.
|164.308(a)(3)(ii)(A)||Authorization and/or Supervision (A)||Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.|
|164.308(a)(3)(ii)(B)||Workforce Clearance Procedure (A)||Implement procedures to determine that the access of a workforce member to ePHI.|
|164.308(a)(3)(ii)(C)||Termination Procedures (A)||Implement procedures for terminating access to ePHI when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.|
|164.308(a)(4)(i)||Information Access Management
(R)Implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of subpart E of this part.
|164.308(a)(4)(ii)(A)||Isolating Health Care ClearinghouseFunction (R)||If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from unauthorized access by the larger organization.|
|164.308(a)(4)(ii)(B)||Access Authorization (A)||Implement policies and procedures for granting access to ePHI, for example, through access to a workstation, transaction, program, process, or other mechanisms.|
|164.308(a)(4)(ii)(C)||Access Establishment and Modification (A)||Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.|
|164.308(a)(5)(i)||Security Awareness and Training
(R)Implement a security awareness and training program for all members of its workforce (including management).
|164.308(a)(5)(ii)(A)||Security Reminders (A)||Implement policies and procedures for periodic security updates.|
|164.308(a)(5)(ii)(B)||Protection from Malicious Software(A)||Implement procedures for guarding against, detecting, and reporting malicious software.|
|164.308(a)(5)(ii)(C)||Log-in Monitoring (A)||Implement procedures for monitoring log-in attempts and reporting discrepancies.|
|164.308(a)(5)(ii)(D)||Password Management (A)||Implement procedures for creating, changing, and safeguarding passwords.|
|164.308(a)(6)(i)||Security Incident Procedures (R)
Implement policies and procedures to address security incidents.
|164.308(a)(6)(ii)||Response and Reporting (R)||Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.|
|164.308(a)(7)(i)||Contingency Plan (R)
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI.
|164.308(a)(7)(ii)(A)||Data Backup Plan (R)||Establish and implement procedures to create and maintain retrievable exact copies of ePHI.|
|164.308(a)(7)(ii)(B)||Disaster Recovery Plan (R)||Establish (and implement as needed) procedures to restore any loss of data.|
|164.308(a)(5)(ii)(C)||Emergency Mode Operation Plan (R)||Establish (and implement as needed)procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.|
|164.308(a)(7)(ii)(D)||Testing and Revision Procedure (A)||Implement procedures for periodic testing and revision of contingency plans.|
|164.308(a)(7)(ii)(E)||Applications and Data Criticality Analysis (A)||Implement policies and procedures to assess the relative criticality of specific applications and data in support of other contingency plan components.|
Implement policies and procedures to perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
|164.308(b)(1)||Business Associate Contracts and Other Arrangements (R)
Implement policy to document rules for business associate (BA) identification and process to assure compliance with assuring compliance BA requirements.
|164.308(b)(4)||Written Contract or Other Arrangement(R)||Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the BA that meets the applicable requirements of § 164.314(a).|
|164.310(a)(1)||Facility Access Controls (R)
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
|164.310(a)(2)(i)||Contingency Operations (A)||Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.|
|164.310(a)(2)(ii)||Facility Security Plan (A)||Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.|
|164.310(a)(2)(iii)||Access Control and Validation Procedures (A)||Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.|
|164.310(a)(2)(iv)||Maintenance Records (A)||Implement policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks).|
|164.310(b)||Workstation Use (R)
Implement policies and procedures to ensure that workstations and other computer systems that may be used to send, receive, store or access ePHI are only used in a secure and legitimate manner.
|Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.|
|164.310(c)||Workstation Security (R)
Implement policies and procedures to ensure that all members of the workforce have appropriate access to ePHI and to prevent workforce members who do not have access from obtaining access to ePHI.
|Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.|
|164.310(d)(1)||Device and Media Controls (R)
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.
|164.310(d)(2)(i)||Disposal (R)||Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.|
|164.310(d)(2)(ii)||Media Re-Use (R)||Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.|
|164.310(d)(2)(iii)||Accountability (A)||Implement procedures to maintain a record of the movements of hardware and electronic media and any person responsible therefore.|
|164.310(d)(2)(iv)||Data Backup and Storage (A)||Implement policies and procedures to create a retrievable, exact copy of ePHI, when needed, before movement of equipment.|
|164.312(a)(1)||Access Control (R)
Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).
|164.312(a)(2)(i)||Unique User Identification (R)||Implement procedures to assign a unique name and/or number for identifying and tracking user identity.|
|164.312(a)(2)(ii)||Emergency Access Procedure (R)||Establish (and implement as needed)procedures for obtaining necessary ePHI during an emergency.|
|164.312(a)(2)(iii)||Automatic Logoff (A)||Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.|
|164.312(a)(2)(iv)||Encryption and Decryption (A)||Implement procedures to describe a mechanism to encrypt and decrypt ePHI.|
|164.312(b)||Audit Controls (R)
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
|164.312(c)(2)||Mechanism to Authenticate ElectronicPHI (A)||Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.|
|164.312(d)||Person or Entity Authentication
(R)Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
|164.312(e)(1)||Transmission Security (R)
Implement technical security policies and procedures measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
|164.312(e)(2)(i)||Integrity Controls (A)||An implement security measure to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.|
|164.312(e)(2)(ii)||Encryption (A)||Implement a mechanism to encrypt ePHIwhenever deemed appropriate.|
Policies & Procedures and Documentation Requirements
|164.316(a)||Policies and Procedures (R)||Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in Sec. 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.|
|164.316(b)(1)(i)||Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form (R)|
|164.316(b)(1)(ii)||If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment (R)|
|164.316(b)(2)(i)||Time Limit (R)||Retain the documentation required by paragraph(b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.|
|164.316(b)(2)(ii)||Availability (R)||Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.|
|164.316(b)(2)(iii)||Updates (R)||Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the ePHI.|
Learn more about the ClearDATA Security Risk Assessment. Our comprehensive process provides you with a concise and unbiased analysis of your organization’s compliance and security with all 20 Security Standards and more than 60 Safeguard Criteria.