Understanding HIPAA Privacy and Security –Part III
In the first and second part of this article, we explored the privacy and security aspects of the Health
Insurance Portability and Accountability Act or HIPAA. We delved upon the security rule and the three
types of security safeguards namely administrative, physical and technical safeguards. Of the three
safeguards, we had a look at the administrative safeguards and its required as well as addressable
implementation specifications.In the third and final part of this article, we will examine the technical and
physical safeguards of the security rule.
Physical safeguards of the HIPAA/HITECH act deals with the policies and procedures that need to be
adopted and implemented to control physical access to systems or devices containing health information
and facilities housing electronic records.
Utmost care must be taken when introducing and removing hardware and software that deals with
Protected Health Information (PHI) from the network. Equipment that are on the verge of retirement must
be disposed off properly so that PHI contained within such systems are not compromised.
● Ensure that access to equipment that contain health information is controlled and monitored
● Ensure that those who access hardware and software are individuals with proper authentication.
● Implement facility security plans, maintenance records and visitor sign-in and escorts within
system centres that contain protected health information.
● Ensure that the workstations are not in high traffic areas and the monitor screens are not in direct
view of the public.
● The covered entities that take the services of contractors and agents must ensure that the
contractors and agents are fully trained and aware of their responsibilities.
In this Physical Safeguards category, there are eight Implementation Specifications. Of the eight
specifications, two are required and six are addressable. For instance, it is required to remove all data
and images from CDs and DVDs prior to reuse.
It deals with those measures that need to be implemented when transmitting health information
electronically over open networks so that the health information do not fall into wrong hands.
● When transmitting information over open networks encryption must be carried out as set out in
standards. However, if the information flows over closed networks then the existing access
controls may be more than enough.
● Covered entities must take all possible measures to ensure data integrity and this includes digital
signature, check sum, message authentication, and double keying.
● Implement procedures to authenticate that the entity that is accessing the electronic records is
the one it claims to be. This includes token systems, password systems, telephone call back, and
two or three way handshakes.
● Document all policies implemented and practices followed for HIPAA compliance that needs to be
made available to the compliance auditors when required.
Of the seven Implementation Specifications, two are required and five are addressable. For instance, it is
required that every individual who accesses the computer system has a unique user identification name
The importance of ensuring healthcare compliance cannot be undermined; it is required to safeguard
Protected Health Information.
Also read on - PCI compliance, Vendor management solutions