(913) 396-8321

HIPAA Security Rule

Health Insurance Portability and Accountability Act (HIPAA) - 1996
  • Proposed Security Rule - August 1998, Final Security Rule - February 2003
  • Compliance deadline - April 21, 2005
  • Modified by HITECH Act - February 2009
    • Solidified by the Omnibus Rule (Published in Federal Register - January 25, 2013)
    • Effective date - March 26, 2013
    • Compliance date - September 23, 2013 (Important date for business associates)
HIPAA Security Rule
  • Organizational Standards
  • Documentation
    • Policies and Procedures
      • Reasonable and appropriate
      • Comply with the standards, implementation specifications, and other requirements of the security rule
    • Retention: Six years from creation date or last effective date, whichever is later
  • Safeguards
    • Administrative Safeguards (12 Required, 11 Addressable)
    • Physical Safeguards (4 Required, 6 Addressable)
    • Technical Safeguards (4 Required, 5 Addressable)
§164.308(a)(1)(i) - Security management process
§164.308(a)(1)(ii)(A) - Risk analysis (Required)
§164.308(a)(1)(ii)(B) - Risk management (Required)
§164.308(a)(1)(ii)(C) - Sanction policy (Required)
§164.308(a)(1)(ii)(D) - Information system activity review (Required)
§164.308(a)(2) Assigned Security Responsibility
§164.308(a)(3)(i) Workforce security
§164.308(a)(3)(ii)(A) - Authorization and/or supervision (Addressable)
§164.308(a)(3)(ii)(B) - Workforce clearance procedure (Addressable)
§164.308(a)(3)(ii)(C) - Termination procedures (Addressable)
§164.308(a)(4)(i) Information access management
§164.308(a)(4)(ii)(A) - Isolating health care clearinghouse functions (Required)
§164.308(a)(4)(ii)(B) - Access authorization (Addressable)
§164.308(a)(4)(ii)(C) - Access establishment and modification (Addressable)
§164.308(a)(5)(i) Security awareness and training
§164.308(a)(5)(ii)(A) - Security reminders (Addressable)
§164.308(a)(5)(ii)(B) - Protection from malicious software (Addressable)
§164.308(a)(5)(ii)(C) - Log-in monitoring (Addressable)
§164.308(a)(5)(ii)(D) - Password management (Addressable)
§164.308(a)(6)(i) Security incident procedures
§164.308(a)(6)(ii) - Response and Reporting(Required)
§164.308(a)(7)(i) Contingency plan
§164.308(a)(7)(ii)(A) - Data backup plan (Required)
§164.308(a)(7)(ii)(B) - Disaster recovery plan(Required)
§164.308(a)(7)(ii)(C) - Emergency mode operation plan (Required)
§164.308(a)(7)(ii)(D) - Testing and revision procedures (Addressable)
§164.308(a)(7)(ii)(E) - Applications and data criticality analysis (Addressable)
§164.308(a)(8) Evaluation
§164.308(a)(8)(b)(1) Business associate contracts and other arrangements
§164.310(a)(1) Facility access controls
§164.310(a)(1)(i) - Contingency Operations (Addressable)
§164.310(a)(1)(ii) - Facility security plan (Addressable)
§164.310(a)(1)(iii) - Access control and validation procedures (Addressable)
§164.310(a)(1)(iv) - Maintenance records (Addressable)
§164.310(b) Workstation use
§164.310(c) Workstation security
§164.310(d)(1) Device and media controls
§164.310(d)(2)(i) - Disposal (Required)
§164.310(d)(2)(ii) - Media re-use (Required)
§164.310(d)(2)(iii) - Accountability (Addressable)
§164.310(d)(2)(iv) - Data backup and storage (Addressable)
§164.312(a)(1) Access Control
§164.312(a)(2)(i) - Unique user identification (Required)
§164.312(a)(2)(ii) - Emergency access procedure (Required)
§164.312(a)(2)(iii) - Automatic logoff (Addressable)
§164.312(a)(2)(iv) - Encryption and decryption (Addressable)
§164.312(b) Audit controls
§164.312(c)(1) Integrity
§164.312(c)(2) - Mechanism to authenticate electronic protected health information (Addressable)
§164.312(d) Person or entity authentication
§164.312(e)(1) Transmission Security
§164.312(e)(2)(i) - Integrity controls (Addressable)
§164.312(e)(2)(ii) - Encryption (Addressable)


Latest News