Maintain confidentiality and integrity of data
The HIPAA Security Rule requires you to
ensure and protect the confidentiality, integrity, and availability (CIA) of protected health
information by developing an appropriate
risk management strategy.
5 This includes protecting the data that is stored (at rest) as well
as the data that is transmitted. Encryption
and decryption are vital whenever ePHI
Protect against breaches
Breaches could be malicious or inadvertent.
You must institute mechanisms to check that
the integrity of data is never jeopardized,
and that data leaks don’t occur. Maintaining
and regularly checking logs is one way to
go about it. Don’t think that it is practical
to manage information systems manually,
especially where business associates are
concerned. Therefore, you must get into business associate agreements (BAAs) with every
business associate that can access PHI or
ePHI for whatever reason, and place the onus
of ensuring the security of data on them by
making them liable in the unfortunate event
of a breach.
Physical safeguards are equally important
Given that theft of portable devices and other
removable media is at the heart of some of
the biggest breaches in healthcare, ensuring
the physical security of all removable media
is vital. From locking drawers and doors, to
installing security cameras to record movements around every workstation that can
access ePHI — don’t scrounge on your efforts.
The latest NIST guidance can be viewed
A historic guidance issued by NIST can be
The OCR guidance can be viewed at:
Validate on a regular basis
Being aware of the problem areas and the possible solutions is good and implementing the
solutions is great; however, what will give your
organization a “satisfactory assurance” or a
clear picture of your security stand is reviewing the health of all the controls at a defined
frequency, including root cause analysis and
corrective action taken for any non-adherence
1. The latest NIST guidance can be viewed at: http://bit.ly/2tZth0U
2. The OCR guidance can be viewed at: http://bit.ly/2v05rpF.
3. NIST Archived Special Publication 800-37, Revision 1, section 1.2
Purpose and Applicability. Available at http://bit.ly/2u YJkR8
4. HIPAA Security Rule - see 45 C.F.R. §§ 164.308(a)( 3), 164.308(a)( 4),
164.310(a)( 2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)( 2)(i), 164.312(a)
5. HIPAA Security Rule – see 45 C.F.R. §§ 164.308(a)(1)(ii)(D), 164.308(b)
(1), 164.310(d), 164.312(a)(1), 164.312(a)( 2)(iii), 164.312(a)( 2)(iv),
164.312(b), 164.312(c), 164.314(b)( 2)(i), 164.312(d)
Auditing & Monitoring Tools
The 1,000+ pages of materials in this toolkit
includes more than 100 sample policies,
procedures, guidelines, and forms to enhance
your compliance auditing and monitoring efforts.
The toolkit is updated twice a year with new tools:
The first two updates are free, and an
annual subscription can be purchased
to receive subsequent updates.
Find just one tool to help your program
improve, and you’ve achieved a
positive return on your investment.
For more information