??? pgHead ???
 
  • General Rules
  • Administrative Safeguards
  • Technical Safeguards
  • Physical Safeguards

Take the lead in data protection best practices with our unified SIEM solution!

The HIPAA Security Rule compels Covered Entities (CEs) to protect patients' electronic protected health information (ePHI). This is achieved through the implementation and investment in appropriate administrative, physical, and technical safeguards. These measures work together to guarantee the confidentiality, integrity, and overall security of patients' sensitive data.

This guide discusses the general rules of the HIPAA Security Rule (as found in 164.306). It also covers all aspects of the administrative safeguards (found in 164.308), physical safeguards (found in 164.310) and technical safeguards (found in 164.310).

Here's an overview of the HIPAA Security Rule:

  • Section 164.306detailsspecific rules that establish security requirements that CEs and their associates are expected to follow.
  • The safeguards set standards for various aspects of security that CEs should concern themselves with. Some of these standards contain implementation specifications (both required and addressable)that help CEs adhere to that designated standard.
  • This document also outlines "methodology" found within some of the implementation specifications which are defined steps that CEs can follow to implement security specifications of HIPAA.

Disclaimer: This guide cites guidance and documents about HIPAA published on the HHS website and the U.S Government Publishing office.

Let's get into understanding the HIPAA Security Rule.

164.306 General rules: Summary

Section 164.306 of the HIPAA Security Rule pertains to the "Security standards: General rules." This section addresses all general requirements that CEs and business associates are expected to comply with according to the HIPAA Security Rule.

164.306(a) General Requirements:

CEs and business associates are required to:

  • Safeguard the confidentiality, integrity, and accessibility of all ePHI they generate, receive, manage, or transmit.
  • Guard against foreseeable threats or risks to the security or integrity of this information.
  • Prevent unauthorized uses or disclosures of such information, in accordance with subpart E of this regulation.
  • Ensure that their workforce complies with the requirements outlined in this section.

With a SIEM solution like ManageEngine's Log360 you can monitor the integrity of your ePHI with its File Integrity Monitoring capability. You can also track accesses to sensitive patient information through its easy reporting styles and set up alerts for such events

164.306(b) Flexibility of Approach:
  • CEs and business associates have the flexibility to practice security measures that enable them to reasonably and effectively implement the standards and specifications outlined in this subpart.
  • When choosing security measures that will be implemented, CEs and business associates should consider: (i) The size, complexity, and capabilities of their organization. (ii) Their network infrastructure, hardware, and software security capabilities. (iii) The associated costs of implementing security measures. (iv) The possibility and impact of potential risks to ePHI.

With Log360, you can track events on your network, get notified of suspicious events, and implement automatic workflows to respond to events immediately.

164.306(c) Standards:

A CE or business associate is required to adhere to the relevant standards outlined in this section, as well as in 164.308, 164.310, 164.312, 164.314, and 164.316, concerning ePHI.

164.306(d) Implementation Specification:

(1)Implementation specifications are

  • Are classified as required or addressable.
  • Required specifications are denoted by "(Required)" after the title.
  • Addressable specifications are denoted by "(Addressable)" after the title.

Note: (To simplify the readability of this page, we have chosen to mark Required implementation specifications in red text and Addressable Implementation specifications in purple text.)

(2) Required Implementation Specifications

CEs and business associates must implement all required specifications.

(3) Addressable Implementation Specifications

For addressable specifications, CEs and business associates must:

(i) Conduct a Risk Assessment

Evaluate each specification's suitability for their environment, considering its impact on ePHI protection.

(ii) Implementation Decision

(A) Implement if deemed reasonable and appropriate.

(B) Document Rationale

If not implemented, document why and implement a suitable alternative (if applicable).

164.306(e) Maintenance:

CEs and business associates must continually review and update security measures to ensure ongoing, reasonable, and appropriate protection of ePHI. Update documentation of such security measures in accordance with 164.316(b)(2)(iii).

Administrative safeguards:

Administrative safeguards constitute a critical framework for managing the security of ePHI. They encompass the oversight of selection, development, implementation, and maintenance of security measures while concurrently promoting the appropriate conduct of the CE's workforce in safeguarding this sensitive data.

The following clauses fall within the administrative safeguards as prescribed by the HIPAA compliance act.

164.308(a)(1)(i) Security management process:

"Implement policies and procedures to prevent, detect, contain, and correct security violations."

Implication:

This standard aims to establish the administrative processes and procedures that CEs have to use to create a secure environment that complies with HIPAA's requirements.

HIPAA defines the following implementation specifications that will help adhere to this. This standard mandates four components for the security management process.

Implementation specifications

164.308(a)(1)(ii)(A) Risk analysis

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

Methodology:

  • Periodic assessments should be conducted to identify potential risks to the confidentiality, integrity, and availability of ePHI. This assessment should evaluate factors like:
    • The nature and volume of ePHI held by theCE.
    • The technical infrastructure involve with storage and transmission of ePHI.
    • The existing security policies and procedures.

164.308(a)(1)(ii)(B) Risk management

"Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a)."

Methodology:

  • Design and implement a risk mitigation plan based on the risk evaluation. This plan should contain:
    • Security measures to be put into practice that will mitigate the identified risks.
    • Procedures that introduce accountability for security responsibilities by assigning these responsibilities to proper personnel.

164.308(a)(1)(ii)(C) Sanction policy

"Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity."

To reduce the occurrences of non-compliance from employees of the CEs, HIPAA requires defining reasonable sanctions on personnel who fail to comply with HIPAA laws.

Methodology

CEs and their associates are expected to create a well-defined sanction policy against workforce members that violate HIPAA's rules. The policy should detail:

  • Types of security violations that will call for disciplinary action (e.g., unauthorized access, failure to report breaches).
  • Types of potential disciplinary actions (e.g., warnings, termination).
  • Rules that ensure that employees who are red flagged for violations are treated fairly with opportunities to explain their behavior before sanctioning disciplinary action.

164.308(a)(1)(ii)(D) Information system activity review

“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Methodology

Establish a process for regularly reviewing information system activity logs. This helps identify:

  • Suspicious accesses and access attempts.
  • Unauthorized activity on ePHI files and servers holing those files.
  • Any potential security breaches.

Log360 can keep you updated on suspicious accesses, file tampering, and any potential attack patterns spotted on the network.

164.308(a)(2) Assigned security responsibility

“Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.”

Implication:

The rule aims to create more accountability for security by assigning an employee/employees who will be operationally responsible for ensuring that the CE is consistently compliant with HIPAA.

While a single head can be deemed as having overall responsibility, other personnel can be assigned to specific security functions (e.g., network security, physical security).

164.308(a)(3) Workforce security

“Implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to ePHI.”

Implication:

This standard mandates that CEs should create policies and procedures to ensure that ePHI is accessed only by authorized individuals. To comply, organizations are asked to follow a least privilege policy for ePHI access. The workforce security measures should be designed to prevent unauthorized access, detect security violations, and enforce security policies.

Implementation Specifications:

164.308(a)(3)(ii)(A) Authorization and/or Supervision

“Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”

CEs should establish a process to determine what access and how much access an employee should have based on their job roles. This includes granting additional access permissions when needed and ensuring that access is revoked when no longer needed.

164.308(a)(3)(ii)(B) Workforce clearance procedure

"Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate."

CEs should have a background verification process in place to check qualifications of workforce members who will be allowed to access the ePHI. This can ensure that only trusted personnel with reliable skills and proper clearances can access patient information.

164.308(a)(3)(ii)(C) Termination procedures

"Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends, or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section.”

CEs should define a proper termination process that revokes the access of workforce members to ePHI when their tenure with the organization ends. This includes denying access to ePHI and disabling their accounts.

The above standard helps organization define a clear process for handling the privileges workforce members are given in accessing ePHI. This helps CEs limit data exposures that could happen because of their workforce.

164.308(a)(4) Information access management

“Implement policies and procedures for authorizing access to electronic protected health information."

Methodology:

CEs must implement procedures that monitor access to ePHI by their workforce members (employees, contractors, etc.) and other entities.

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

"If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization."

Implication:

Health care clearinghouses are in charge of processing large volumes of ePHI from healthcare providers. When these healthcare clearing houses are part of a multi-functional organization, the data and processes applicable to them should be isolated from other functions and personnel of the organization.

164.308(a)(4)(ii)(B) Access authorization

“Implement policies and procedures for granting access to ePHI information, for example, through access to a workstation, transaction, program, process, or other mechanism.”

Implication:

This clause does not mandate but does recommend CEs establish a process to determine who can access ePHI and how much access they have.

Methodology (not HIPAA prescribed):

Some ways to do this:

  • Create an inventory of all electronic systems or databases that store, or process ePHI.
  • Establish access control methods to access the ePHI. This could include:
    • Using unique user IDs and passwords for each authorized user.
    • Provide just enough access based on an employee's role and job requirements (need-to-know principle).
    • Enforce additional verification factors beyond just a username and password for high-risk access attempts.
    • Establish a process and personnel (or technology) for requesting, reviewing, and approving access to ePHI.

164.308(a)(4)(ii)(C) Access establishment and modification

“Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process."

Implication:

This is an important safeguard that focuses on defining a process for providing, reviewing, and revoking access rights to ePHI held by the organization.

Methodology:

Some ways to do this (not HIPAA prescribed):

  • Setup a process to review and modify user access privileges to access workstations, programs, transactions, or any other mechanism that deals with ePHI.
  • Outline the process for requesting access and what factors should be looked at for approving access requests.
  • Consider utilizing automated tools for efficient user provisioning and de-provisioning.
164.308(a)(5) Security Awareness and Training

"Implement a security awareness and training program for all members of its workforce."

Implication:

This standard enforces the need for workforce members at CEs to understand the HIPAA Security Rule, along with the importance of protecting sensitive patient information. This can include training sessions, phishing simulations, email reminders, or security posters on existing, new, and updated security practices.

Implementation specification

164.308(a)(5)(ii)(A) Security reminders

"Periodic security updates."

Implication:

CEs should look at how to effectively remind the workforce of security policies and practices they must follow and then decide whether these practices are reasonable and appropriate, or if other forms of security reminders are needed.

164.308(a)(5)(ii)(B) Protection from malicious software

"Procedures for guarding against, detecting, and reporting malicious software."

Implication:

Malicious software is frequently brought into an organization through careless downloading practices through email and other sites on the internet. The Security Awareness and Training standard addresses the need for employees to be trained to identify suspicious emails that could contain malicious software. The security awareness training must be a continuous process for all organizations governed by HIPAA.

Log360's rule-based correlation mechanism and behavioral analytics to detect and prevent malware from spreading through the network.

164.308(a)(5)(ii)(C) Log-in monitoring

"Procedures for monitoring log-in attempts and reporting discrepancies."

Implication:

CEs can show great commitment to HIPAA rules if they monitor suspicious logins like when a users tries multiple combinations of usernames and/or passwords gain access to critical systems. It's a recommended practice for organizations to audit these events for further investigation.

A good way to track suspicious login activity is to invest in a SIEM solution. A SIEM solution like Log360 can help you keep record of all login activity and also create alerts for logins that are considered suspicious.

Log360 provides extensive reporting styles on login and logoffs of users and devices on the network. Additionally the UEBA mechanism can also alert you of suspicious logins that could signal insider threats.

164.308(a)(5)(ii)(D) Password management

"Procedures for creating, changing, and safeguarding passwords."

Implication:

Organizations designated as CEs must train their workforce members on setting strong passwords that guard their accounts. The organization must also define a strong password policy that allows users to only create strong passwords. Furthermore, the password policy should automatically push users to change their passwords periodically.

164.308(a)(6) Security incident procedures

"Implement policies and procedures to address security incidents."

Implication:

HIPAA's Security Rule defines a security incident as, “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

Organizations should have security incident procedures in place that discover security incidents and investigate and resolve them thoroughly. The incident should be followed by a proper response action would resolve the incident and also ensure that similar occurrences don't happen in the future. The organization should also follow proper documentation practices to record the incident. The organization should also maintain proper documentation on what constitutes a security incident based on factors like risk analysis and their business operations.

Implementation specification:

164.308(a)(6)(ii) Response and reporting

"Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, the harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes."

Implication:

Organizations are responsible for creating clear security incident procedures that instruct security analysts and other relevant workforce members associated with security on how to respond to security incidents. This could be how to preserve evidence; immediate responses and mitigations; root cause analysis; and improving risk management processes through their inferences from security incidents.

Log360 uses correlation mechanisms and behavior analytics to detect threats. The alerting mechanisms notify you of these threats for further investigation. The response mechanism enables you to create predefined workflows that act as first responses to a security incident. The solution also provides several predefined reports that help you track all activity happening on your network.

164.308(a)(7) Contingency plan

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Implication:

This standard refers to the requirement for CEs to have a contingency plan. The contingency plan must lay out procedures to respond to emergencies that could be destructive to systems holding ePHI. These events can include events like major power outages, natural calamities, system crashes, hardware issues, and data breaches.

Implementation specification:

164.308(a)(7)(ii)(A) Data Backup Plan:

"Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information."

Methodology:

  • Create and maintain backup copies of ePHI and define who can retrieve these. This can be done through scheduled backups of data periodically to secure cloud storage solutions.
  • It's important to specify how frequently data backups should happen along with data retention periods. Conduct tests to ensure backups can be restored properly in case of an emergency.

164.308(a)(7)(ii)(B) Disaster Recovery Plan

"Establish (and implement as needed) procedures to restore any loss of data."

Implication:

It mandates CEs (healthcare providers, health plans, etc.) to have procedures to restore electronic protected health information (ePHI) in case of disasters. This ensures continued access to critical patient data during emergencies.

164.308(a)(7)(ii)(C) Emergency mode operation plan

“Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode."

Methodology

The goal is to ensure critical business processes continue functioning in emergency situations, while still protecting the security of ePHI. This means having procedures in place to:

  • Maintain Access to ePHI : Implement methods to access ePHI even when primary systems are down due to the emergency. This could involve having alternative access methods to the data like read-only replicas.
  • Restrict Unauthorized Access: Emergency situations can create vulnerabilities. The procedures should outline steps to maintain robust security measures even under duress. This might include implementing stricter access controls during emergencies like three step verification for authentication.

164.308(a)(7)(ii)(D) Testing and revision procedures

"Implement procedures for periodic testing and revision of contingency plans."

The rule addresses the importance of conducting regular tests and revisions to contingency plans. This ensures your plan stays relevant and effective in safeguarding ePHI during emergencies.

Methodology:

Conduct periodic tests simulating emergency scenarios. Evaluate the plan's effectiveness in:

  • Maintaining critical business processes for ePHI security.
  • Enabling continued data access through backups or alternative methods.

164.308(a)(7)(ii)(E) Application and data criticality analysis

"Assess the relative criticality of specific applications and data in support of other contingency plan components."

Implication and methodology:

This implementation specification helps CEs to prioritize their data to be backed up, and plan their disaster recovery measures by identifying their critical software applications involved with the storage and handling of ePHI.

Creating a prioritized list of specific applications and data will aid in determining the restoration sequence for applications or information systems, identifying those that must be restored first and/or maintained with continuous availability.

164.308(a)(8) Evaluation

"Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule]."

Implication:

The goal of the evaluation is to help CEs ensure they have appropriate security measures in place as required by the Security Rule. Initially, this involves assessing the security standards they've implemented. Regular follow-up evaluations are needed to address any changes that might affect the security of ePHI. These ongoing evaluations, which should occur annually or every two years, cover both technical and non-technical aspects of the security program.

164.308(b)(1) Business associate contracts and other arrangements:

“A covered entity, in accordance with 164.306 [the Security Standards:General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information."

Implication:

CEs must create contracts with individuals and entities who are considered business associates under 160.103. This is like the Privacy Rule's Business Associate Contract standard but focuses on those handling electronic protected health information The entities need assurances from these business associates about properly safeguarding ePHI.

Implementation Specification

164.308(b)(4) Written contract or other arrangement

"Document the satisfactory assurances required by paragraph (b)(1) [the Business Associate Contracts and Other Arrangements] of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164.314(a) [the Organizational Requirements].”

Implication

Ensure compliance with paragraph (b)(1) concerning Business Associate Contracts and Other Arrangements by establishing satisfactory assurances through a written contract or alternative agreement with the business associate. This contract or arrangement must fulfill the relevant requirements outlined in 164.314(a) pertaining to Organizational Requirements.

HIPAA Technical safeguards:

The Security Rule doesn't mandate specific technology solutions. It provides examples of security measures and technological capabilities to illustrate standards and implementation specifications that can greatly improve how ePHI is protected. However, CEs can choose what security tools and capabilities they invest in. They must decide on reasonable and appropriate security measures based on their organization's size, network complexity, and risk management processes.

164.312(a)(1) Access control

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4)[Information Access Management].”

Implication:

Various access control methods and technical controls exist in information systems, but the Security Rule doesn't specify which ones to use. The rule does specify that access controls should be rationed out to match the role and responsibilities of each workforce member.

The access control standard defines four implementation standards.

Implementation standards:

164.312(a)(2)(i) Unique user identification

"Assign a unique name and/or number for identifying and tracking user identity."

Implication:

Each user accessing the system must have a unique identifier, like a username or employee ID. This allows for tracking user activity and accountability.

164.312(a)(2)(ii) Emergency access procedure

"Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”

Implication:

A process needs to be established for granting access in emergency situations where standard procedures might be bypassed. This access should be strictly monitored and documented.

164.312(a)(2)(iii) Automatic logoff:

"Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity."

Implication:

If the risk of unauthorized access due to inactive user sessions is significant, then implementing automatic logoff is an important safeguard. However, if the risk is low (e.g., a standalone computer in a secure location), alternative security measures might be sufficient.

164.312(a)(2)(iv) Encryption and decryption:

"Implement a mechanism to encrypt and decrypt ePHI information."

Implication:

Encryption is a way of converting regular text into coded text using an algorithm. If information is encrypted, it's unlikely that anyone without the decryption key or access to a confidential process could decode and understand the text.

164.312(b) Audit controls

"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

Implication:

This regulation mandates implementing mechanisms (hardware, software, or procedural) to record and review activity logs in systems that store or use ePHI. These logs track various user actions, including:

  • Login and logout attempts
  • Accessing, modifying, or deleting ePHI
  • System configuration changes

CEs must establish procedures to regularly review the captured audit logs. This helps identify suspicious activity or potential security breaches. There are no specific timeframes mandated by HIPAA, but reviews should be conducted at intervals appropriate to your risk assessment.

164.312(c)(1) Integrity

"Implement policies and procedures are designed to protect electronic protected health information from improper alteration or destruction."

Implication:

Changing or damaging ePHI can cause problems for CEs, affecting patient safety. This can happen due to human errors, technical issues, or electronic failures. The standard aims to protect ePHI from any compromise, no matter how it occurs.

Implementation specification:

164.312(c)(2) Mechanism to authenticate electronic protected health information

"Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner."

Methodology

To protect ePHI from unauthorized alteration or destruction, a CE must assess the risks to its integrity as part of a risk analysis. After identifying these risks, the entity then determines security measures to lower them.

164.312(d) Person or entity authentication

"Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."

Implication:

Authentication confirms a person's identity before granting access to ePHI. Most CEs use passwords or PINs for authentication. While passwords are the most common identity verifier as it is easy to set up, entities may consider other authentication methods like OTPs, fingerprints, etc.

164.312(e)(1) Transmission security

"Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."

Implication:

To comply with this standard, CEs need to assess how they currently transmit ePHI. They should check if ePHI is sent via email, over the Internet, or through private networks. Once they understand their transmission methods, they can choose suitable ways to safeguard ePHI during transmission.

Implementation specifications:

164.312(e)(2)(i) Integrity controls:

"Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of."

Methodology:

Network protocols are a key way to maintain the integrity of ePHI during transmission. These protocols mainly ensure that the sent data matches the received data. Additionally, there are other security measures like data authentication codes that CEs may also consider for safeguarding ePHI during electronic transmission.

164.312(e)(2)(ii) Encryption:

"Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."

Methodology:

Encryption needs careful consideration for success. Both sender and receiver must use compatible encryption tech during data transmission. As there's no one-size-fits-all encryption for open networks like the internet, the Security Rule gives flexibility to CEs on when and how to encrypt data, avoiding undue financial and technical burdens.

HIPAA Physical Safeguards:

When assessing and applying HIPAA recommended security standards, a CE needs to account for all physical entry points to ePHI. This includes enforcing physical security standards at locations beyond the office, such as the homes of workforce members or other physical sites where ePHI is accessed.

164.310(a)(1) Facility access controls:

"Implement policies and procedures to limit physical access to its electronic housed,information systems and the facility or facilities in which they are while ensuring that properly authorized access is allowed."

Implication:

Policies and procedures created and put into action should address authorized and unauthorized physical access to electronic information system facilities. These policies identify individuals with authorized access, such as workforce members, business associates, and contractors, by their titles or job functions.

Implementation specifications:

164.310(a)(2)(i) Contingency operations:

"Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency."

Implication:

Contingency operations are activated during disasters or emergencies. Access controls during these operations vary greatly among entities. It is important to continue to maintain strict access controls to locations where ePHI is stored. Different organizations can implement physical security to critical locations, based on their staff size.

164.310(a)(2)(ii) Facility security plan

"Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft."

Implication:

Facility security plans should detail the implementation of physical access controls. These controls are crucial to restrict access to facilities and equipment holding ePHI to authorized individuals only. Additionally, procedures should be in place to prevent tampering and theft of ePHI and related equipment. There should also be a periodic review of facility security plans to ensure that new findings from risk analyses can also be dealt with.

164.310(a)(2)(iii) Access control and validation procedures:

"Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision."

Implication:

This specification states that CEs match a person's access to information with their role or function within the organization. These role-based access control and validation procedures should closely match the facility's security plan. The procedures should determine which workforce members or individuals should have access to specific areas within the facility based on their roles.

164.310(a)(2)(iv) Maintenance records

"Implement policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks)."

Implication:

This implementation specification mandates CEs to document repairs and changes to their physical spaces especially those spaces involved in the holding of ePHI. For example, common physical security changes may include re-keying door locks or changing door combinations, especially when a workforce member is terminated.

164.310(b) Workstation Use:

"Implement policies and procedures that specify proper functions to be performed, the manner in which those functions should be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI."

Implication:

The goal of the standard is to minimize the risk of unauthorized access to ePHI by regulating how workstations are used. This includes defining authorized functions and positioning workstations to limit unauthorized viewing of screens by passersby. The Workstation Use standard also addresses CEs with workforce members who use workstations outside the main site to access ePHI. This includes employees working from home, in satellite offices, or at another facility.

164.310(c) Workstation security

"Implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users."

Implication:

HIPAA recommends that workstations be secured to desks using cables or mounts to prevent theft or tampering. Additionally, access to rooms containing workstations with ePHI access may be restricted using key cards, access codes, or security guards.

164.310(d)(1) Device and media controls

"Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility."

Implication:

CEs are expected to

  • Develop and implement policies and procedures governing the receipt and removal of hardware and electronic media containing ePHI, both entering and leaving the facility, as well as their movement within the facility.
  • Ensure that policies and procedures specify the types of hardware and electronic media that require tracking.
  • Identify all types of hardware and electronic media that need tracking, such as hard drives, magnetic tapes or disks, optical disks, or digital memory cards.

There are four implementation specifications for this standard.

Implementation Specifications

164.310(d)(2)(i) Disposal:

"Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored."

Methodology:

CEs must have policies and procedures in place for properly disposing of electronic devices and media storing ePHI. This ensures that any remaining ePHI data is completely removed before the device or media is discarded or reused. Common disposal methods include:

  1. Physical destruction: Use techniques like degaussing (for hard drives) or shredding (for paper or media) to make the data unrecoverable.
  2. Overwriting: Utilize software tools to overwrite the storage media multiple times with random data, making it very difficult to retrieve the original ePHI.
  3. Encryption: Apply strong encryption to safeguard any residual data if devices are reused.

164.310(d)(2)(ii) Media reuse:

"Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use."

Implication:

Organizations must have procedures for reusing electronic media that once held ePHI. It's essential to remove any remaining data before reuse to prevent unauthorized access to old ePHI. While media reuse can save costs, proper data erasure is crucial.

164.310(d)(2)(iii) Accountability:

"Maintain a record of the movements of hardware and electronic media and any person responsible therefore."

Methodology:

While not mandatory, it is highly recommended to implement accountability measures. Accountability involves tracking and monitoring the movement and usage of devices and media containing ePHI. This includes:

  • Keeping an inventory of devices and media with ePHI access.
  • Logging the movement of devices and media within the facility.
  • Assigning clear ownership or responsibility for specific devices and media.

164.310(d)(2)(iv) Data backup and storage:

"Create a retrievable, exact copy of electronic protected health information, when needed, before the movement of equipment."

Methodology:

This specification is addressable and recommends creating procedures for backing up and storing ePHI data. While not required, having a strong backup plan is crucial for disaster recovery and business continuity during emergencies. This involves:

  • Regularly backing up ePHI data to secure locations.
  • Using encryption for backed-up data to enhance security.
  • Periodically testing data backups to ensure they can be successfully restored in case of a disaster.

ManageEngine's Log360 provides specific reports tailored to HIPAA requirements specifically the Security Rule, Privacy Rule, and Data Breach Notification Rule.