US

HIPAA: Security Rule

Security Rule [45 CFR 164.302-318]

Rule: Covered entities and business associates must implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).

Implementation Specifications

TypeMeaning
Required (R)Must be implemented
Addressable (A)Assess and implement if reasonable; if not, document why and implement alternative

Administrative Safeguards [§164.308]

SafeguardTypeRequirement
Risk analysisRConduct thorough assessment of ePHI risks
Risk managementRImplement measures to reduce risks
Sanction policyRDiscipline workforce for violations
Information system activity reviewRReview audit logs, access reports
Assigned security responsibilityRDesignate security official
Workforce securityAEnsure appropriate access
Security awareness trainingATrain all workforce members
Security incident proceduresRIdentify and respond to incidents
Contingency planRData backup, disaster recovery, emergency mode
EvaluationRPeriodic technical/nontechnical evaluation
Business associate contractsRWritten BAAs required

Physical Safeguards [§164.310]

SafeguardTypeRequirement
Facility access controlsALimit physical access to ePHI systems
Workstation useRSpecify proper workstation use
Workstation securityRPhysical safeguards for workstations
Device and media controlsRPolicies for hardware and media

Technical Safeguards [§164.312]

SafeguardTypeRequirement
Access controlRUnique user IDs, emergency access
Automatic logoffATerminate sessions after inactivity
EncryptionAEncrypt ePHI at rest
Audit controlsRRecord and examine access
IntegrityAProtect ePHI from improper alteration
AuthenticationRVerify identity of users
Transmission securityAProtect ePHI in transit

Risk Analysis Requirements

Must identify and assess:

  1. All ePHI created, received, maintained, transmitted
  2. External sources of ePHI
  3. Potential threats and vulnerabilities
  4. Current security measures
  5. Likelihood of threat occurrence
  6. Potential impact of breach
  7. Risk level determination

Documentation Requirements

  • Policies and procedures must be written
  • Retain for 6 years from creation or last effective date
  • Make available to those responsible for implementation
  • Review and update periodically

Citation

45 CFR Part 164 Subpart C — Security Standards

Contains public sector information licensed under the Open Government Licence v3.0 where applicable. This is not legal advice. Always refer to official sources for authoritative text.

llms.txt