HIPAA Security Overview
Security requirements are divided into the following four categories:
Administrative procedures to guard data integrity, confidentiality, and availability
- Documented, formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data
Physical safeguards to guard data integrity, confidentiality, and availability
- Protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion.
- Physical safeguards also cover the use of locks, keys, and administrative measures used to control access to computer systems and facilities
Technical security services to guard data integrity, confidentiality, and availability
- Processes that are put in place to protect and to control and monitor information access
Technical security mechanisms
- Processes that are put in place to prevent unauthorized access to data
HIPAA Security by Category
Security requirements by Category - EACH MUST BE ADDRESSED
Chain of Trust
Info Access Control
Physical Access Controls
Policy - Workstation Use
|Digital Signature - on hold|
|Technical Security Mecanisms|
|Technical Security Services|
HIPAA Security - Entity Responsibilities
Each entity is responsible for the following:
- Assessing its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements
- Determining how individual security requirements would be satisfied and which technology to use
- Considering a balance between the need to secure the health data and the economic cost of doing so, when devising their solutions
- Integrating security strategy with privacy requirements
HIPAA Security - Summary
- Guard data integrity, confidentiality and availability through administrative procedures and physical safeguards
- Document formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to protection of data
- Technical security includes processes that are in place to prevent unauthorized access to data and to monitor information access.
HIPAA Security - Questions to Think About
- What is the nature of your “security culture” in terms of
level of control
frequency and content of communication
- Is your security administration centralized or distributed?
- Do your security policies/procedures address all areas of HIPAA regulation?
- Is your security architecture adaptable?
COMPLIANCE DATE: April 21, 2005