HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma,...
-
Upload
melina-hutchinson -
Category
Documents
-
view
215 -
download
0
Transcript of HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma,...
![Page 1: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/1.jpg)
HIPAA: Introduction to the Security Rules Lorman Education ServiceAugust 22, 2007Tacoma, Washington
Stephen D. Rose, J.D., M.B.A.K&L Gates925 Fourth Avenue, Suite 2900Seattle, Washington 98104(206) [email protected]
![Page 2: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/2.jpg)
Presentation By:
Stephen D. Rose, J.D., M.B.A.K&L Gates
925 Fourth Avenue, Suite 2900Seattle, Washington 98104
(206) [email protected]
HIPAA: Introduction to the Security Rules
![Page 3: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/3.jpg)
![Page 4: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/4.jpg)
The Health Insurance Portability and Accountability Act of 1996
(Public Law 104-191)Signed August 21, 1996
Title IISubtitle F—Administrative Simplification
“HIPAA”
![Page 5: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/5.jpg)
Pythagorean Theorem 24 WordsArchimedes’ Principle 67 WordsThe Ten Commandments 179 WordsLincoln’s Gettysburg Address 286 WordsU.S. Declaration of Independence 1,300 WordsHIPAA Privacy 401,034 Words
. . . the square of the hypotenuse is equal to the sum of the
squares of the other two sides: a2 + b2 = c2
Perspectives
![Page 6: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/6.jpg)
HIPAA Health Insurance Portability and Accountability Act of 1996
HIPAA Health Insurance Portability and Accountability Act of 1996
TransactionsTransactions Code SetsCode Sets IdentifiersIdentifiers
Insurance Portability
Administrative
Simplification
Fraud and AbuseMedical Liability Reform
Title ITitle I Title IITitle II Title IIITitle III Title IVTitle IV Title VTitle V
SecuritySecurityPrivacyPrivacyEDIEDI
Tax RelatedHealth Provision
Group HealthPlan Requirements
RevenueOff-sets
HIPAA Administrative Simplification Law
![Page 7: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/7.jpg)
Effective Dates of HIPAA Rules
Privacy Rules: April 14, 2003 Security Rules: April 21, 2005
![Page 8: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/8.jpg)
Purpose of HIPAA Provisions
Improve efficiency and effectiveness of the health care system
by standardizing
the electronic exchange ofadministrative and financial data
![Page 9: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/9.jpg)
Two Key Privacy Rule Goals
Provide strong Federal protections for privacy rights for health care information
Preserve (i.e., don’t interfere with) quality health care delivery
![Page 10: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/10.jpg)
Privacy Rules focus on the rights and expectations of patients with respect to how their private medical information is handled by providers and organizations.
Security Standards provide guidance to organizations and providers on how to protect the integrity and confidentiality of medical information.
Privacy Rules vs. Security Standards
![Page 11: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/11.jpg)
The Importance of Privacy and Security
In 2001 a NV woman purchased a used computer only to find its previous owner, a drugstore, left on it the pharmacy records of thousands of patients.
In 2000 a FL man purchased a laptop only to discover mental health records from a local institution on it – he contacted the news who interviewed patients about the matter.
![Page 12: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/12.jpg)
The Importance of Privacy and Security
In 2000 a hacker downloaded medical records, health information, and social security numbers on more than 5,000 patients at the University of Washington Medical Center. The hacker was motivated by a desire to expose the vulnerability of electronic medical records. (R. O’Harrow, "Hacker Accesses Patient Records," The Washington Post, 9 December 2000, p. E1)
The hacker claimed all the records were taken via the Internet and that the Institution lacked firewalls. The cracker was able to capture user ID and passwords by capturing key strokes.
![Page 13: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/13.jpg)
The Importance of Privacy and Security
In 2000 a teenage girl, while visiting her mother at work, retrieved the names and phone numbers of patients who had visited the ER from a hospital computer. As a prank, she called them and told them they were pregnant or had AIDS. One victim attempted suicide.
![Page 14: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/14.jpg)
The Importance of Privacy and Security CD with Medical Data of 75,000 is Found
A missing CD containing confidential medical and personal information on 75,000 Empire Blue Cross and Blue Shield members was recovered Wednesday
A spokeswoman for a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January
No way to track whether copies of the CD were made
![Page 15: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/15.jpg)
The Importance of Privacy and Security
In 1994, administrators of a new computerized medical record system for an HMO in Oregon were shocked to find that 141 employees had peeked at the record of a celebrity who came in to be treated for a sprained wrist.
![Page 16: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/16.jpg)
The Importance of Privacy and Security Most Data Breaches Traced to Company Errors
Research from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders
Looked at 550 data breaches that received media coverage between 1980 and 2006
Two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management or employee errors
Less than one-third of the breaches were the work of outside attackers
![Page 17: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/17.jpg)
Washington State Data Breach Notification LawRCW 19.255.010 Businesses and individuals that own or license computerized data that includes “personal information” must notify state residents whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person.
Notice of the data breach must be sent in “the most expedient time possible and without unreasonable delay.”
![Page 18: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/18.jpg)
Other Federal Laws
The Computer Fraud and Abuse Act 18 U.S.C. § 1030 Penalizes intentionally accessing a computer without authorization (or exceeding authorization) and thereby causing damage.
Also contains a private right of action under 18 U.S.C. § 1030(g) designed to supplement the criminal sanctions under 18 U.S.C. § 1030(c).
![Page 19: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/19.jpg)
Regulation Themes Scalability/Flexibility
Covered entities can take into account: Size Complexity Capabilities Technical Infrastructure Cost of procedures to comply Potential security risks
![Page 20: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/20.jpg)
Compliance
162.530: a Covered Entity must develop and implement policies and procedures relating to PHI designed to comply with the [HIPAA] regulations.
Compliance is mandatory.
![Page 21: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/21.jpg)
Duty to Safeguard PHI
HIPAA requires a Covered Entity to have in place appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI.
![Page 22: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/22.jpg)
Assigning Responsibility
Privacy Officer 45 CFR 164.530(a)(1)(i)
Designated person to receive complaints 45 CFR 164.530(a)(1)(ii)
![Page 23: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/23.jpg)
The Security Rules
Published: February 20, 2003
Effective Date: April 21, 2003
Compliance Date: April 21, 2005 for all covered entities except small health plans.
![Page 24: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/24.jpg)
CIA
Confidentiality Integrity Availability
![Page 25: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/25.jpg)
General Requirements164.306(a)
Confidentiality (only the right people see it)
Integrity (the information is what it is supposed to be – it hasn’t been changed)
Availability (the right people can see it when needed)
![Page 26: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/26.jpg)
Protect against any reasonably anticipated threats or hazards to the security and integrity of ePHI.
Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required.
Additional Requirements of the Security Rule
![Page 27: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/27.jpg)
Ensure compliance by the workforce.
Investigate, mitigate, and document the resolution of any inadvertent release.
Additional Requirements of the Security Rule
![Page 28: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/28.jpg)
“Required” versus “Addressable”
The HIPAA Security Rule requires standard implementation through written policies and procedures.
These standards have “required” and “addressable” implementation specifications.
![Page 29: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/29.jpg)
“Required”
Required implementation specifications are mandatory.
![Page 30: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/30.jpg)
“Addressable”
WARNING: “addressable” does NOT mean “optional.”
If a given addressable implementation specification is determined to be reasonable and appropriate, the entity must adopt it.
![Page 31: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/31.jpg)
“Addressable”
If a given “addressable” implementation specification is determined to be inappropriate or unreasonable, the entity may implement an alternative measure that accomplishes the same end.
This determination and its rationale must be documented.
![Page 32: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/32.jpg)
HIPAA Security Standards
Administrative Safeguards (55%) 12 Required, 11 Addressable
Physical Safeguards (24%) 4 Required, 6 Addressable
Technical Safeguards (21%) 4 Required, 5 Addressable
![Page 33: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/33.jpg)
Administrative Safeguards
This section is concerned with the policies, procedures, and processes relating to the “workforce” and not the physical and technical security which is the subject of later sections.
![Page 34: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/34.jpg)
Administrative Safeguards
Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R)
![Page 35: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/35.jpg)
Risk AssessmentRisk Analysis Assess you own security risks Determine your risk tolerance or risk aversion
Devise, implement, and maintain appropriate security to address your business requirements
Document your decisions
![Page 36: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/36.jpg)
Risk Analysis
Two types: Qualitative – (Easiest and most common) Rating risks on a scale such as:
Quantitative – (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations
![Page 37: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/37.jpg)
Risk Calculations
The higher the number, the greater your risks. Im
pa
ct
Probability of Occurrence
H 7 8 9
M 4 5 6
L 1 2 3
L M H
![Page 38: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/38.jpg)
Administrative Safeguards
Assign a Security Officer who is responsible for HIPAA Security Rule compliance.
Can be same person as the HIPAA Privacy Officer or a different person.
![Page 39: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/39.jpg)
Administrative Safeguards
Workforce Security Authorization and/or Supervision (A) Workforce clearance procedures (A) Termination Procedures (A)
![Page 40: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/40.jpg)
Administrative Safeguards
Information Access Management Healthcare Clearinghouse Function (R) Access authorization (A) Access Establishment and Modification (A)
![Page 41: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/41.jpg)
Administrative Safeguards
Security Awareness and Training Security Reminders (A) Protection from malicious software (A) Log-In Monitoring (A) Password Management (A)
![Page 42: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/42.jpg)
Administrative Safeguards
Security Incident Procedures Response and reporting (R)
![Page 43: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/43.jpg)
Administrative Safeguards
Contingency Planning Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A)
![Page 44: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/44.jpg)
Administrative Safeguards
Evaluation (R) Periodic review Non-technical review Technical review
![Page 45: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/45.jpg)
Administrative Safeguards
Business Associate Agreements and Other Arrangements
![Page 46: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/46.jpg)
The Physical Safeguards (§ 164.310) relate to the physical actions the practice must undertake to implement the Security Rule. Small practices will want to focus on limiting physical access to electronic information within the office by unauthorized personnel by simple means such as physical barriers, locks, and supervision.
Physical Safeguards
![Page 47: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/47.jpg)
Physical Safeguards
Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A)
Maintenance Records (A)
![Page 48: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/48.jpg)
Physical Safeguards
Workstation Use Workstation Security
![Page 49: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/49.jpg)
Physical Safeguards
Device and Media Controls Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A)
![Page 50: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/50.jpg)
This section of the Security Rule (§164.312) addresses technical items that need to be implemented to meet the requirements of the Security Rule.
Technical Safeguards
![Page 51: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/51.jpg)
Access Control Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A)
Technical Safeguards
![Page 52: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/52.jpg)
Audit Controls (R)
Technical Safeguards
![Page 53: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/53.jpg)
Integrity Mechanism to Authenticate ePHI
Technical Safeguards
![Page 54: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/54.jpg)
Person or Entity Authentication (R)
Technical Safeguards
![Page 55: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/55.jpg)
Transmission Security Integrity Controls (A) Encryption (A)
Technical Safeguards
![Page 56: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/56.jpg)
Documentation—A covered entity must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule
Policies and Procedures and Documentation Requirements
![Page 57: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/57.jpg)
Make the documentation available to those persons responsible for implementing the procedures to which the documentation pertains. This is a required implementation specification.
Retain the documentation required for 6 years from the date of its creation or the date it was last in effect, whichever is later in time. This is a required implementation specification.
Documentation
![Page 58: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/58.jpg)
These materials are provided for educational purposes only, and are not legal advice or intended to be substituted for legal advice Parties affected by the issues discussed in these materials should consult with their legal counsel as the specific facts of any given case will greatly influence the legal advice given.
It is important to note that these materials address an area of the law that is volatile and expected to have significant changes in the very near future which may completely alter the applicability of these materials to any situation.
Disclaimer
![Page 59: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/59.jpg)
Questions
![Page 60: HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da15503460f94a8d1f4/html5/thumbnails/60.jpg)
Contact
Stephen D. Rose, J.D., M.B.A.K&L Gates925 Fourth Avenue, Suite 2900Seattle, Washington 98104(206) 370-8126