Safeguards Required by the HIPAA Security Rule
The HIPAA Security Rule requires covered entities to identify and analyze risks to e-PHI. As part of this process the covered entity must reduce vulnerabilities by implementing administrative, physical, and technical security measures.
Administrative safeguards include the following types of controls:
- Designated, responsible security management
- Periodic security awareness and HIPAA training for all personnel who handle e-PHI
- Periodic acknowledgment of security policies and procedures
- Security policies and procedures with sanctions for workforce violations
- Periodic risk assessment related to e-PHI vulnerabilities and coverage specific to the Security Rule
- Periodic internal control and security policy and procedures assessments specific to coverage of the Security Rule
- Physical and logical access least privilege policies and controls
Physical safeguards include the following types of controls:
- Limited physical access to facilities and spaces where e-PHI is stored based on least privilege
- Policies and procedures covering proper use and access to devices and electronic media
- Policies and procedures related to proper physical or electronic movement of e-PHI and media containing e-PHI
- Policies and procedures related to proper wiping and/or disposal of e-PHI and media containing e-PHI
Technical safeguards include the following types of controls:
- Policies and procedures covering least privilege logical access to e-PHI
- Logging and monitoring over access and other activities in systems that contain e-PHI
- Edit checks to validate the accuracy and completeness of e-PHI
- IDS, IPS, and firewalls in place and monitored
- Periodic monitoring of firewall configurations
- Data encryption at rest and in transit
McKonly & Asbury is experienced in assisting clients in identifying and implementing the controls needed to pass a HIPAA compliance audit. Please contact us if you have questions about the process or are ready to move forward with a HIPAA assessment.
About the Author
Lynnanne joined McKonly & Asbury in 2018 and is currently a Director with the firm. She is a key member of our firm’s System and Organization Controls (SOC) Practice, preparing SOC 1, SOC 2, and SOC 3 reports for our clients. She holds the… Read more