The HIPAA security standards define administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission.
(The Privacy Rule, by contrast, sets standards for how protected health information should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information.)
Covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under HIPAA.
- Ensure compliance with HIPAA by its workforce.
The HIPAA security rule applies to electronic PHI, which is defined as individually identifiable health information that is:
- Transmitted by electronic media; or
- Maintained in electronic media.
Electronic PHI is thus a subset of PHI. See PHI for a discussion of what constitutes PHI.
Electronic media means:
- Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
- Transmission media used to exchange information already in electronic storage media.
Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dialup lines, private networks, and the physical movement of removable/ transportable electronic storage media.
Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
The HIPAA security rules apply to all covered entities. A covered entity includes:
- a health care provider that conducts certain transactions in electronic form, (called here a “covered health care provider”),
- a health care clearinghouse, or
- a health plan.
See this chart from HHS for flowcharts to decide if an entity is a covered entity.
Covered entities may also be required to ensure that other entities performing functions for them comply with HIPAA security rules. Thus, a business associate of a covered entity or the plan sponsor of a group health plan (e.g., an employer) may need to obey HIPAA security rules. See business associate.
The regulations provide that covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications.
In deciding which security measures to use, a covered entity must take into account the following factors:
- The size, complexity, and capabilities of the covered entity.
- The covered entity’s technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to electronic protected health information.
Required and Addressable Implementation Specifications
Implementation specifications for the HIPAA Security Rule are required or addressable.
Required implementation specifications must be implemented.
Addressable implementation specifications require a covered entity to:
- Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with
reference to the likely contribution to protecting the entity’s electronic protected health information; and
- As applicable to the entity—
- Implement the implementation specification if reasonable and appropriate; or
- If implementing the implementation specification is not reasonable and appropriate—
- Document why it would not be reasonable and appropriate to implement the implementation specification; and
- Implement an equivalent alternative measure if reasonable and appropriate.
Administrative Safeguards (§ 164.308)
A covered entity must implement all the standards below.
Security management process
Implement policies and procedures to prevent, detect, contain, and correct security violations.
Risk analysis (Required)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Risk management (Required)
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Sanction policy (Required)
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
Information system activity review (Required)
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Assigned security responsibility
Identify the security official who is responsible for the development and implementation of the policies and procedures required for HIPAA security.
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under HIPAA's information access management standards (described below), and to prevent those workforce members who do not have access under those standards from obtaining access to electronic protected health information.
Authorization and/or supervision (Addressable)
Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Workforce clearance procedure (Addressable)
Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Termination procedures (Addressable)
Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made according to the workforce clearance procedure.
Information access management
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of HIPAA security.
Isolating health care clearinghouse functions (Required)
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
Access establishment and modification (Addressable)
Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Security awareness and training
Implement a security awareness and training program for all members of its workforce (including management).
Security reminders (Addressable)
Periodic security updates.
Protection from malicious software (Addressable)
Procedures for guarding against, detecting, and reporting malicious software.
Log-in monitoring (Addressable)
Procedures for monitoring log-in attempts and reporting discrepancies.
Password management (Addressable)
Procedures for creating, changing, and safeguarding passwords.
Security incident procedures
Implement policies and procedures to address security incidents.
Response and Reporting (Required)
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Data backup plan (Required)
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
Disaster recovery plan (Required)
Establish (and implement as needed) procedures to restore any loss of data.
Emergency mode operation plan (Required)
Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Testing and revision procedures (Addressable)
Implement procedures for periodic testing and revision of contingency plans.
Applications and data criticality analysis (Addressable)
Assess the relative criticality of specific applications and data in support of other contingency plan components.
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet HIPAA requirements.
Administrative Safeguards for Business Associate Contracts and Other Arrangements
A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with regulations, that the business associate will appropriately safeguard the information.
This standard does not apply to the transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual, as well as in certain other circumstances.
Written contract or other arrangement is required
To comply with the requirements, a covered entity must document the satisfactory assurances through a written contract or other arrangement with the business associate that meets the applicable requirements of HIPAA.
A covered entity must meet the following standards:
Facility access controls
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Contingency operations (Addressable)
Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Facility security plan (Addressable)
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Access control and validation procedures (Addressable)
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Maintenance records (Addressable)
Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Device and media controls
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
Media re-use (Required)
Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Data backup and storage (Addressable)
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
A covered entity must meet the following requirements.
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified by the information access management procedures (described in administrative safeguards).
Unique user identification (Required)
Assign a unique name and/or number for identifying and tracking user identity.
Emergency access procedure (Required)
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Automatic logoff (Addressable)
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Encryption and decryption (Addressable)
Implement a mechanism to encrypt and decrypt electronic protected health information.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Mechanism to authenticate electronic protected health information (Addressable)
Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Person or entity authentication
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Integrity controls (Addressable)
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
A covered entity must implement all the applicable standards below.
Business associate contracts or other arrangements
The contract or other arrangement between the covered entity and its business associate required by must meet the requirements of the applicable standards below.
If the covered entity knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation under the contract or other arrangement, it must take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful:
- Terminate the contract or arrangement, if feasible; or
- If termination is not feasible, reported the problem to the Secretary.
Business associate contracts
The contract between a covered entity and a business associate must provide that the business associate will—
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by HIPAA regulations;
- Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
- Report to the covered entity any security incident of which it becomes aware;
- Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
When a covered entity and its business associate are both governmental entities, the covered entity is in compliance, if—
- It enters into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of the business associate contract rules; or
- Other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business
associate that accomplish the objectives.
Business associates and covered entities that are subject to statutory requirements may comply with those requirements without violating HIPAA.
Requirements for group health plans
Generally, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to—
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
- Ensure that the adequate separation required by HIPAA is supported by reasonable and appropriate security measures;
- Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
- Report to the group health plan any security incident of which it becomes aware.
Policies and Procedures and Documentation Requirements
A covered entity must meet the standards below.
Policies and procedures
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA security rules, taking into account the flexibility factors of the regulations.
Maintain the policies and procedures implemented to comply with HIPAA in written (which may be electronic) form, and if an action, activity or assessment is required to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Time limit (Required)
Retain the documentation required for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
HIPAA Security Rule (Feb. 20, 2003)