HIPAA Security Rule
Protecting Electronic PHI
The HIPAA Security Rule establishes standards for protecting electronic Protected Health Information (ePHI). Learn about the three categories of safeguards: Administrative, Physical, and Technical.
Administrative
Policies, procedures, and workforce training
Physical
Facility access and workstation controls
Technical
Access controls, audit logs, encryption
Required vs Addressable
Security Rule specifications are either Required (must implement) or Addressable (assess and implement if reasonable, or document why an equivalent measure is used).
Administrative Safeguards
Administrative actions, policies, and procedures to manage security measures:
Security Management Process
Risk analysis, risk management, sanction policy, information system activity review
Assigned Security Responsibility
Designate a security official responsible for HIPAA compliance
Workforce Security
Authorization, supervision, clearance procedures, termination procedures
Information Access Management
Access authorization, access establishment, access modification
Security Awareness Training
Security reminders, malware protection, login monitoring, password management
Contingency Plan
Data backup, disaster recovery, emergency operations, testing, criticality analysis
Physical Safeguards
Physical measures, policies, and procedures to protect electronic systems and buildings:
Facility Access Controls
Contingency operations, facility security plan, access control, maintenance records
Workstation Use
Policies for proper workstation use and environment
Workstation Security
Physical safeguards restricting access to workstations
Device & Media Controls
Disposal, media re-use, accountability, data backup/storage
Technical Safeguards
Technology, policies, and procedures for protecting and controlling access to ePHI:
Access Control
Unique user ID, emergency access, auto logoff, encryption/decryption
Audit Controls
Hardware, software, and procedural mechanisms to record system activity
Integrity Controls
Mechanisms to authenticate ePHI and protect from improper alteration
Person/Entity Authentication
Verify identity of persons or entities seeking access
Transmission Security
Integrity controls and encryption for ePHI transmission
Need Help Implementing Security Controls?
Our team can help you implement HIPAA Security Rule safeguards and conduct Security Risk Assessments.