What are appropriate safeguards to prevent impermissible use or disclosure of electronic protected health information?
Under the HIPAA Security rule standards and implementation specifications are categorized as administrative, physical, and technical safeguards.
Administrative safeguards are "administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information."
The basic elements are:
- Security management process - Development of a process to prevent, detect, contain and correct security violations and implementation of the policies and procedures to perform: 1) a risk analysis; 2) risk management; 3) sanction policy; and 4) information system activity review. (See NIST SP 800-30, Risk Management Guide for Information Technology Systems, Chapters 3 and 4, January 2002)
- Assigned security responsibility - Designation of a security official to develop and implement security policies and procedures.
- Workforce security - Ensuring all workforce members have appropriate access to ePHI and preventing those who do not have access from obtaining access according to security policies and procedures.
- Information access management - Implementation of policies and procedures for accessing, granting, and modifying access to ePHI.
- Security awareness and training - Development and implementation of a security awareness and training program for workforce members, including implementation of periodic security reminders, procedures to protect against malicious software, log-in monitoring, and password management.
- Security incident procedures - Implementation of accurate and current security incident procedures, including formal, documented report and response procedures.
- Contingency plan - Establishment of policies and procedures for responding to an occurrence that damage systems that contain ePHI, including a data backup plan, a disaster recovery plan, emergency mode operation plan, testing and revision procedures, and applications and data criticality analysis.
- Evaluation - Conducting ongoing monitoring and evaluation of security plans and procedures.
- Business associate contracts and agreements - Entering into contracts or other agreements with business associates to that includes satisfactory assurances from the business associates that they will appropriately safeguard ePHI when they create, receive, maintain, or transmit ePHI on behalf of the covered entity.
Physical Safeguards are "physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion."
The basic elements are:
- Facility access controls - Implementation of policies and procedures that limit physical access to the facilities where electronic information systems are housed, but ensure authorized personnel access, including establishing contingency operations that allow facility access to support restoration of lost data in accordance with the disaster recovery plan and emergency mode operation plan, developing policies and procedures to secure the facility and equipment from physical access, tampering, or theft, implementing procedures to control and validate a person's access to facilities based on their role or function, documenting repairs and modifications to the physical components of the facility that are related to the security.
- Workstation use - Specifying the appropriate use of workstations and the characteristics of the physical environment of workstations that can access ePHI.
- Workstation security - Implementation of strategies to restrict access to workstations with ePHI.
- Device and media controls - Development and implementation for the receipt and removal of hardware and electronic media that contain ePHI into and out of the facility and the movement of these items within a covered entity, including the disposal, reuse of media, accountability, and data backup and storage.
Technical safeguards are "means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it."
- Access control - Development and implementation of policies, procedures, and processes to allow only allow access to persons or software programs that have appropriate access rights to electronic information systems that contain ePHI, including unique user identification protocols, emergency access procedures, automatic logoff, and encryption and decryption mechanisms.
- Audit controls - Recording and examining activity in information systems that contain or use ePHI.
- Integrity - Protecting ePHI from improper alteration or destruction, including implementation of mechanisms to authenticate ePHI
Person or entity authentication - Implementation of procedures to verify that a person or entity seeking access to ePHI is who what they claim to be (proof of identity).
- Transmission security - Guarding against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
HIPAA Security Series - Administrative Safeguards - Developed by Center for Medicare & Medicaid Services (2007). This tool includes a review of each Administrative Safeguards standard and implementation specification listed in the Security Rule, discusses the purpose for each standard, and provides sample questions that covered entities and business associates may want to consider when implementing the Administrative Safeguards.
HIPAA Security Series - Physical Safeguards - Developed by Center for Medicare & Medicaid Services (2007). This tool includes a review of each Physical Safeguards standard and implementation specification listed in the Security Rule, discusses the purpose for each standard, and provides sample questions that covered entities and business associates may want to consider when implementing the Physical Safeguards.
HIPAA Security Series - Technical Safeguards - Developed by Center for Medicare & Medicaid Services (2007). This tool includes a review of each Technical Safeguards standard and implementation specification listed in the Security Rule, discusses the purpose for each standard, and provides sample questions that covered entities and business associates may want to consider when implementing the Technical Safeguards.
HIPAA Security Series - Basics of Risk Analysis and Risk Management - Developed by Center for Medicare & Medicaid Services (2007). This tool includes a review the Security Rule required implementation specifications for Risk Analysis and Risk Management and the basic concepts and steps involved.
Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices - From the Office of the National Coordinator (ONC). This guide is intended to assist small health care practices in reassessing their existing health information security policies in adopting and implementing EHRs. This guide poses questions that your practice can use to identify appropriate safeguards and conduct risk assessments to secure electronic health information.
Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.