Security Rule

Computer crime concept

The Security Rule requires administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of electronic protected health information (PHI). Electronic PHI (e-PHI) is individually identifiable health information created, received, maintained or transmitted in electronic form.

The general requirements of the security rule include:

  • ensuring the confidentiality, integrity and availability of all e-PHI;
  • identifying and protecting against reasonably-anticipated threats to the security or integrity of the information;
  • protecting against reasonably anticipated, impermissible uses or disclosures; and
  • ensuring compliance by your workforce.


Guidance for assessing and implementing appropriate safeguards can be found at: hhs.gov/hipaa/for-professionals/security/guidance/index.html

Security Risk Analysis: To help ensure that e-PHI is secure, HIPAA requires that covered entities perform a security risk analysis and management process, including, but not limited to:

  • evaluating the likelihood and impact of potential risks to e-PHI;
  • implementing appropriate security measures to address the risks identified in the risk analysis;
  • documenting the chosen security measures; and
  • maintaining continuous, reasonable, and appropriate security protections.

The Department of Health and Human Services has provided a security risk assessment tool and resources at healthit.gov/providers-professionals/security-risk-assessment.  For additional resource, AOA Excel also provides additional HIPAA tools to help with security risk analysis and management.

Administrative Safeguards: Administrative Safeguards include, but is not limited to:

  • Security management process: A covered entity must identify and analyze potential risks to e-PHI (e.g., Security risk analysis), and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
          
  • Security personnel: A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
      
  • Information access management: Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
        
  • Workforce training and management: A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
           
  • Evaluation: A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.


Physical safeguards include:

  • Facility Access and Control: A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

  • Workstation and Device Security: A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

Technical safeguards include:

  • Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

  • Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.

  • Integrity Controls: A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.

  • Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

AOA Resources



HHS Resources: