HIPAA Safeguards

The U.S. Department of Human and Health Services regulates the maintenance and fulfillment of following these codes, which includes the HIPAA Security Rule. With the ever advancing of technology and methods of spreading information, making sure electronic protected health information remains safe and secure must be a top priority.

The Security Rule specifies three “safeguards” to ensure total compliance for covered entities. Below we give the HIPAA Security Rule’s definition and further explanation of each safeguard.

Administrative Safeguards

Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.

The HIPAA Security Rule’s Administrative Safeguards focus on your organization’s internal security measures, ensuring you create a durable security foundation to best protect your patients’ information. According to the rule, there are ten subsets of Administrative safeguards that covered entities need to be aware of:

  • Security Management Process (45 CFR 164.308(a)(1)(i))
  • Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A))
  • Assigned Security Responsibility (45 CFR 164.308(a)(2))
  • Workforce Security (45 CFR 164.308(a)(3)(i))
  • Information Access Management (45 CFR 164.308(a)(4)(ii)(A))
  • Security Incident Procedures (45 CFR 164.308(a)(6))
  • Security Awareness Training (45 CFR 164.308(a)(5)(i))
  • Contingency Plan (45 CFR 164.308(a)(7)(i))
  • Protection from Malicious Software (45 CFR 164.308(a)(5)(ii)(B))
  • Evaluation

For further information on the above components and the entirety of HIPAA’s Administrative Safeguards in Part 1 of our four-part safeguards blog series.

Physical Safeguards

Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Physical Safeguards under the HIPAA Security Rule aim to protect the physical facilities of your covered entity. In addition, procedures and policies regarding workstation (i.e. computers) and device use are detailed in this safeguard.

  • Facility Access Controls (§ 164.310(a)(1))
    • Contingency Operations (§ 164.310(a)(2)(i))
    • Facility Security Plan (§ 164.310(a)(2)(ii))
    • Access Control and Validation Procedures (§ 164.310(a)(2)(iii))
    • Maintenance Records (§ 164.310(a)(2)(iv))
  • Workstation Use (§ 164.310(c))
  • Workstation Security (§ 164.310(c))
  • Device and Media Controls (§ 164.310(d)(1))

Technical Safeguards

Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Under the HIPAA Security Rule’s Technical Safeguards, protection of ePHI’s is detailed in four main areas. These areas include access controls, audit controls, integrity controls, and transmission security.

  • Access Control (§ 164.312 (a)(1))
    • Unique User Identification (§ 164.312 (a)(1)(r))
    • Emergency Access Procedure (§ 164.312 (a)(1)(r))
    • Automatic Logoff (§ 164.312 (a)(1)(a))
    • Encryption and Decryption (§ 164.312 (a)(1)(a))
  • Audit Controls (§ 164.312(b))
  • Integrity (§ 164.312(c)(1))
    • Person or Entity Authentication (§ 164.312(d))
  • Transmission Security (§ 164.312(e)(1))
    • Integrity Controls (§ 164.312(e)(1)(a))
    • Encryption (§ 164.312(e)(1)(a))