Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

The HIPAA Security Standard

Last updated May 23, 2003.

In Part I above we introduced HIPAA and what deadlines must be met. In this section we will discuss the security standard that all entities must meet by the above deadlines in order to be in compliance.

Fortunately, the security standard at this time has been left intentionally vague. This means that as a network administrator you have a certain amount of leeway in how you want to implement your security policies and procedures. In fact, if you already follow good security practice, you are probably very close to being in full compliance. The following section will give a general overview of the security goals that HIPAA targets.

The HIPAA guidelines attempt to design a new, comprehensive standard that defines the requisite security requirements. The HIPAA authors recognize that there are already numerous security guidelines and standards in existence today. Thus, to draft the HIPAA standard guidelines, they researched the existing guidelines and standards and consulted with the organizations that developed them. As a result of these consultations and research, they identified several high-level concepts on which the standard should be based. Highlights of these can be summarized as follows:

  • The standard must be comprehensive.

  • Comprehensive adoption of security standards in health care, not piecemeal implementation, is advocated to provide security to data that is exchanged between health care entities.

  • If a system or communications between two systems is implemented with technology(s) meeting standards in a general system security framework (Identification and Authentication; Authorization and Access Control; Accountability; Integrity and Availability; Security of Communication; and Security Administration.) that system would be essentially secure.

  • No single standards development organization (SDO) is addressing all aspects of health care information security and confidentiality, and specifically, no single SDO is developing standards that cover every category of the security framework.

  • The standard must be technology-neutral: The proposed HIPAA standard does not reference or advocate specific technology because security technology changes quickly. This gives entities flexibility to choose their own technical solutions. A standard that is dependent on a specific technology or technologies would not be flexible enough to use future advances.

  • The standard must be scalable: it must be able to be implemented by all the affected entities, from the smallest provider to the largest clearinghouse. A single approach would be neither economically feasible nor effective in safeguarding health data. For example, in a small physician practice, a contingency plan for system emergencies might be only a few pages long, and cover issues such as where backup diskettes must be stored, and the location of a backup personal computer (PC). At a large health plan, the contingency plan might consist of multiple volumes and cover issues such as remote hot site operations and secure off-site storage of electronic media. The physician office solution would not protect the large plan’s data, and the plan’s solution would not be economically feasible (or necessary) for the physician office. Moreover, the statute specifically takes into account the needs and capabilities of small and rural health care providers.

Flexibility in the HIPAA standard draws on the recommendations contained in the National Research Council's 1997 report "For The Record: Protecting Electronic Health Information”:

"It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks, and resources to determine optimal security measures. Nevertheless, the committee believes that a set of practices can be articulated in a sufficiently general way that they can be adopted by all health care organizations in one form or another." (Page 168)

What specific requirements, then, must you satisfy for HIPAA? The proposed standard requires that each health care entity engaged in electronic maintenance or transmission of health information assess potential risks and vulnerabilities to the individual health data in its possession in electronic form, and develop, implement, and maintain appropriate security measures. These measures must safeguard the integrity, confidentiality, and availability of your electronic data.

The proposed requirements and implementation features also drew upon Recommendations 1 and 3 in the National Research Council’s 1997 report, "For The Record”, that were recommended for immediate implementation.

"Recommendation 1: All organizations that handle patient-identifiable health care information--regardless of size--should adopt the set of technical and organizational policies, practices, and procedures described below to protect such information."

The proposed HIPAA security standard thus outlines the following practices and procedures:

  • Organizational Practices

    1. Security and confidentiality policies
    2. Information security officers
    3. Education and training programs, and
    4. Sanctions

  • Technical Practices and Procedures

    1. Individual authentication of users
    2. Access controls
    3. Audit trails
    4. Physical security and disaster recovery
    5. Protection of remote access points
    6. Protection of external electronic communications
    7. Software discipline, and
    8. System assessment.

HIPAA also contains a recommendation as follows:

"The federal government should work with industry to promote and encourage an informed public debate to determine an appropriate balance between the primary concerns of patients and the information needs of various users of health care information."

This proposed security standard was developed in the spirit of this recommendation. As a result of the collaborative security regulation development process, the HIPAA implementation team roughly divided the material into the following four categories:

  • Administrative procedures to guard data integrity, confidentiality, and availability - these are documented, formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data.

  • Physical safeguards to guard data integrity, confidentiality, and availability - these relate to the protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. Physical safeguards also cover the use of locks, keys, and administrative measures used to control access to computer systems and facilities.

  • Technical security services to guard data integrity, confidentiality, and availability - these include the processes that are put in place to protect and to control and monitor information access, and

  • Technical security mechanisms - these include the processes that are put in place to prevent unauthorized access to data that is transmitted over a communications network.

In Part III, we will examine practical steps to implement these recommendations.

Official Documentation

http://www.cms.hhs.gov/