Resources Resources

Security Standards


HIPAA Security Overview

Security requirements are divided into the following four categories:


Administrative procedures to guard data integrity, confidentiality, and availability

  • Documented, formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data

Physical safeguards to guard data integrity, confidentiality, and availability

  • Protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion.
  • Physical safeguards also cover the use of locks, keys, and administrative measures used to control access to computer systems and facilities

Technical security services to guard data integrity, confidentiality, and availability

  • Processes that are put in place to protect and to control and monitor information access

Technical security mechanisms

  • Processes that are put in place to prevent unauthorized access to data

HIPAA Security by Category

Security requirements by Category - EACH MUST BE ADDRESSED

 

Administrative

Certification
Chain of Trust
Agreements
Contingency Plan
Formal Mechanisms
Records
Info Access Control
Internal Audit
Personal Security
Security Configuration
Security Incident
Procedures
Security Management
Process
Termination
Procedures
Training
Physical Safeguards
Assigned Security
Responsibility
Media Controls
Physical Access Controls
Policy - Workstation Use
Secure Workstation
Location
Security Awareness
Training
Electronic Signature
Digital Signature - on hold
Technical Security Mecanisms
Communications Network
Controls
Integrity Controls
Message Authentication
Technical Security Services
Access Controls
Audit Controls
Authorization Controls
Data Authentication
(corruption)
Entity Authentication

 

HIPAA Security - Entity Responsibilities

Each entity is responsible for the following:

  • Assessing its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements
  • Determining how individual security requirements would be satisfied and which technology to use
  • Considering a balance between the need to secure the health data and the economic cost of doing so, when devising their solutions
  • Integrating security strategy with privacy requirements

HIPAA Security - Summary

  • Guard data integrity, confidentiality and availability through administrative procedures and physical safeguards
  • Document formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to protection of data
  • Technical security includes processes that are in place to prevent unauthorized access to data and to monitor information access.

HIPAA Security - Questions to Think About

  • What is the nature of your “security culture” in terms of

level of control
frequency and content of communication
formal documentation
enforcement consistency?

 

  • Is your security administration centralized or distributed?
  • Do your security policies/procedures address all areas of HIPAA regulation?
  • Is your security architecture adaptable?


COMPLIANCE DATE: April 21, 2005