​​

• The Security Rule was adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This briefly covers the topics below to give HIPAA covered entities insight into the Security Rule, and assistance with implementation of the security standards. This series explains specific requirements, the thought process behind those requirements, and possible ways to address the provisions.

 

• Background Technical safeguards are becoming increasingly more important due to technology advancements in the health care industry. As technology improves, new security challenges emerge. Healthcare organizations are faced with the challenge of protecting electronic protected health information (EPHI), such as electronic health records, from various internal and external risks. To reduce risks to EPHI, covered entities must implement technical safeguards. Implementation of the Technical Safeguards standards represent good business practices for technology and associated technical policies and procedures within a covered entity. It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so.

 

The Safeguards Are:

 

Access Control

 

The Security Rule defines access as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in subpart E of this part [the HIPAA Privacy Rule]).”

1. UNIQUE USER IDENTIFICATION

2. EMERGENCY ACCESS PROCEDURE

3. AUTOMATIC LOGOFF

4. ENCRYTION AND DECRYPTION

Audit Controls

1. The next standard in the Technical Safeguards section is Audit Controls. This standard has no implementation specifications. The Audit Controls standard requires a covered entity to: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Integrity

The next standard in the Technical Safeguards section is Integrity. Integrity is defined in the Security Rule, as “the property that data or information have not been altered or destroyed in an unauthorized manner.” Protecting the integrity of EPHI is a primary goal of the Security Rule. The Integrity standard requires a covered entity to: “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

1. MECHANISM TO AUTHENTICATE ELECTRONIC PROTECTED HEALTH INFORMATION

Person or Entity Authentication

1. The Person or Entity Authentication standard has no implementation specifications. This standard requires a covered entity to: “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Transmission Security

1. INTEGRITY CONTROLS

2. ENCRYPTION