OFFICE OF TECHNOLOGY SERVICES

Guidelines and Standards

HIPAA Security Standards

In general, you must

1. ensure the confidentiality, integrity, and availability of all electronic protected health information you create, receive, maintain or transmit.
2. protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. protect against and reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Regulations.

• Required Specifications
• "Addressable" Specifications

Electronic protected health information means individually identifiable health information that is transmitted by electronic media or maintained in electronic media; except, however, that it excludes individually identifiable health information in education records covered by FERPA; records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and employment records held by a covered entity in its role as employer.

Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes.

Integrity means that data or information have not been altered or destroyed in an unauthorized manner. 

Availability means that data or information is accessible and usable upon demand by an authorized person.

You may use any security measures that allow you to reasonably and appropriately implement the requirements of the security regulations. 

In deciding which security measures to use, you must take the following factors into account:

1. your size, complexity, and capabilities.
2. your technical infrastructure, hardware and software security capabilities
3. the costs of security measures.
4. the probability and criticality of potential risks to electronic protected health information.

The security measures must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.

Security or security measures encompass all of the administrative, physical, and technical safeguards in an information system.

Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.

Physical safeguards are physical measures, policies and procedures to protect your electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Access means the ability of the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Information system means an interconnected set of information resources under the same direct management control that shares common functionality.  A system normally includes hardware, software, information, data, applications, communications and people. 

Required specifications

You may change the polices and procedures you adopt to comply with these standards at any time, provided that you document and implement the changes as required by the regulations.  You must maintain the policies and procedures implemented to comply with these regulations in written (which may be electronic) form for six years from the date of creation or the date when it was last in effect, whichever is later. If an action, activity or assessment is required by the regulations to be documented, you must maintain a written (which may be electronic) record of the action, activity or assessment for six years from the date of creation or the date when it was last in effect, whichever is later.    You must make documentation available to the persons responsible for implementing the procedures documented.  You must review documentation periodically, and update it as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

1. Security management process. Implement policies and procedures to prevent, detect, contain and correct security violations.
   • Risk analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of your electronic protected health information.
   • Risk management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements (first paragraph).
   • Sanction policy. Apply appropriate sanctions against workforce members who fail to comply with your security policies and procedures.
   • Information system activity review.  Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
      
   Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
   
    
2. Assigned security responsibility.  Identify the security official who is responsible for developing and implementing policies and procedures required by these security regulations.
    
3. Workforce security. Implement policies and procedures to ensure that all members of your workforce have appropriate access to electronic protected health information, as provided under the “Information Access Management” standard, and to prevent those workforce members who do not have access under that standard from obtaining access to electronic protected health information.
    
4. Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the privacy regulations.
    
5. Security awareness and training.  Implement a security awareness and training program for all members of your workforce (including management).
    
6. Security incident procedures. Implement policies and procedures to address security incidents.
   • Response and reporting.  Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcome.
   
    
7. Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
   • Data backup plan.  Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
   • Disaster recovery plan.  Establish (and implement as needed) procedures to restore any loss of data.
   • Emergency mode operation plan.  Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
   
    
8. Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of the security regulations.
   • Written contract or other arrangement. Document satisfactory assurances through a written contract or other arrangement with a business associate. 
   
    
9. Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility of facilities in which they are housed, while insuring that properly authorized access is allowed. 
   Facility means the physical premises and the interior and exterior of a building(s).
    
10. Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected heath information.
    Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.
     
11. Workstation security.  Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized use.
     
12. Device and Media Controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
    • Disposal. Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
    • Media re-use.  Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
    
     
13. Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in the “Information access management” standard.
    • Unique user identification.  Assign a unique name and/or number for identifying and tracking user identity.
      User means a person or entity with authorized access.
    • Emergency access procedure.   Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
    
     
14. Audit controls.  Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
     
15. Integrity.  Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
     
16. Person or entity authentication.  Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one cleared. Authentication means the corroboration that a person is the one claimed.
     
17. Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
     
18. Business associate contracts or other arrangements. You may permit a business associate to create, receive, maintain, or transmit electronic protected health information on your behalf only if you obtain satisfactory assurances that the business associate will appropriately safeguard the information.  This doesn’t apply with respect to: (i) your transmission of electronic protected health information to a health care provider concerning the treatment of an individual; or (ii) the transmission of electronic protected health information by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor.  If you violate the satisfactory assurances you provide as a business associate of another covered entity, you will be in violation of the security regulations.

    The contract or other arrangement between you and each of your business associates must meet the requirements of paragraphs a. or b. below, as applicable.   You are not in compliance with the security regulations if you knew of a pattern or activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless you took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: (i) terminated the contract or arrangement, if feasible; or (ii) if termination is not feasible, reported the problem to the Secretary.
     

    1. The contract between you and a business associate must provide that the business associate will:
       1. implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health in formation that it creates, receives, maintains, or transmits on behalf of the covered entity as required by the HIPAA regulations
       2. ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
       3. report to the covered entity any security incident of which it becomes aware;
       4. authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract
    2. Other arrangements.  When a covered entity and its business associate are both governmental entities, the covered entity is in compliance with paragraph a above if: (i) it enters into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph a above; or (ii) other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph a. above.  If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate, the covered entity may permit the business associate to create, receive, maintain, or transmit electronic protected health information on its behalf to the extent necessary to comply with the legal mandate without meeting the requirement of paragraph a. above, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required in the first sentence of this paragraph, and documents the attempt and the reasons that these assurances cannot be obtained.  The covered entity may omit from its other arrangements authorization of the termination of the contract by he covered entity if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.

“Addressable” specifications

For this group of specifications, you must assess whether each one is a reasonable and appropriate safeguard in your environment, when analyzed with reference to your electronic protected health information.  If it is reasonable and appropriate, you must implement it.  If it is not reasonable and appropriate, you must document the reason why and implement an equivalent alternative measure if reasonable and appropriate.

(Heading numbers correspond to those under the “Required Specifications” heading.)

3. Workforce security
    
   1. Authorization and/or supervision.  Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
   2. Workforce clearance procedure.  Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
   3. Termination procedures.  Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph 1.b. above.
   
    
4. Information access management
    
   1. Access authorization.  Implement policies and procedures for granting access to electronic protected health information, for example,  through access to a workstation, transaction, program, process or other mechanism.
   2. Access establishment and modification.  Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program or process.
   
    
5. Security awareness and training
    
   1. Security reminders.  Periodic security updates.
   2. Protection from malicious software.  Procedures for guarding against, and reporting malicious software.
      Malicious software means software, for example, a virus, designed to damage or disrupt a system.
   3. Log-in monitoring.  Procedures for monitoring log-in attempts and reporting discrepancies.
   4. Password management.  Procedure for creating, changing, and safeguarding passwords.
      Password means confidential authentication information composed of a string of characters.
   
    
7. Contingency plan
    
   1. Testing and revision procedures.  Implement procedures for periodic testing and revision of contingency plans.
   2. Applications and data criticality analysis.  Assess the relative criticality of specific applications and data in support of other contingency plan components.
   
    
9. Facility access controls
    
   1. Contingency operations.  Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
   2. Facility security plan.  Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
   3. Access control and validation procedures. Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
   4. Maintenance records.   Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks).
   
    
12. Device and media controls
     
    1. Accountability.  Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
    2. Data backup and storage.  Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
    
     
13. Access control
     
    1. Automatic logoff.  Implement electronic procedures that terminate an electronic session after a predetermined time of activity.
    2. Encryption and decryption.  Implement a mechanism to encrypt and decrypt electronic protected health information.
       Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
    
     
15. Integrity
     
    1. Mechanism to authenticate electronic protected health information.  Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
    
     
17. Transmission security
     
    1. Integrity controls.   Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
    2. Encryption.  Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
    
     

     

Information Security Office
Office of Technology Services
Cook Library, 4
Hours: Monday - Friday, 8:30 a.m. to 4:00 p.m.
E-mail: infosec@towson.edu