Under the HIPAA Security Rule, the following items, within the
three listed categories, are expected to be present:
- Administrative Safeguards - These are the
policies and procedures designed to show how an entity complies
with HIPAA on the administrative level.
- Covered entities must have a written list of privacy procedures
and select a privacy officer, who will be responsible for
implementing these procedures.
- In the case of management oversight, there should be a
procedure in place for a buy-in to compliance, as dictated by the
documented security controls.
- Procedures should lay out everyone who has access to Electronic
Protected Health Information (EPHI) as a necessary part of their
- The procedures should also clarify authorization,
establishment, modification, and termination, when it comes to
- There must be evidence of an ongoing training program with
regard to those handling PHI.
- Covered entities must make sure all businesses with which they
deal also comply by the necessary safeguards (through contracts),
as well as making sure those parties only deal with other
- There must be a proven contingency plan in the case of
emergencies. Covered entities must back up their data and provide
evidence of a disaster recovery procedure. The plan should be
continually updated to reflect ongoing data prioritization, system
failures, security assessments, etc.
- There should be regular, internal, documented audits within
- There must be a plan in place for responding to any security
breach that might arise during an internal audit, or simply during
2. Physical Safeguards - These safeguards
protect the actual physical process of handling information and
- The introduction and disposal of hardware and software over
open networks must be carefully monitored.
- All equipment containing any sort of PHI must be carefully
monitored, with restricted access.
- Only authorized individuals may have access to hardware and
- There must be facility security plans in place, up-to-date
maintenance records, and a sign-in/escort process for every visitor
on the premises.
- Workstations should be treated appropriately, with information
not visible in high-traffic areas.
- All contractors must also be aware of and comply with these
3. Technical Safeguards - These safeguards
refer specifically to the sharing of communications electronically
in order to ensure they cannot be intercepted by outside
- Systems with PHI must be secure against intrusion. When sharing
information over networks, information must be encrypted.
- Entities must ensure data has not been tampered with.
- Further technical safeguards may be used to protect
- Covered entities must be certain of the authenticity of those
with which they communicate.
- Covered entities must provide documentation of HIPAA practices
so the government may determine compliance (see below for more
- The documentation of IT should incorporate a record of
configuration settings on the network.
- Risk analysis and risk management programs are mandatory and
must be available through documentation.
For medical practices, preparing for an audit
involves being able to provide the following upon request:
- Having all the proper and aforementioned documentation on
- Proof that the EHR system in place for meaningful use is
- Documentation that all data is correct.
- Proof that a security risk assessment took place and physical
evidence of a corrective action plan.