The security standards outlined in HIPAA are designed to establish a level of protection for certain types of health information that is collected, maintained, used, or transmitted in an electronic format. The thrust of the standard is to minimize or eliminate risks that may lead to improper access to stored information, loss of data, or the interception of protected data during electronic transmission. Thus, security is defined as the ability to control access and protect information from: Accidental or intentional disclosure to unauthorized persons; and, Alteration, destruction, or loss.
There are five sections of the Security Rule::
Over 75% of HIPAA Security compliance is operational in nature. Policies and procedures must be established for audit trails, certification, change control process, contract approval with "chain of trust language," human resources orientation, information access privileges, workstation location, password authentication policies, and security incident procedures. Also included are contingency planning/disaster recovery, business process control, formal record processing, security configuration documentation, and appointment of a security officer.
Development of written policies and procedures regarding the physical safeguards in place to protect their data.
Technical Security Services
This component is designed to support or enforce the policies and procedures. The methodologies should ensure the authentication of the user, and restrict the user to only the systems, applications, and data for which the user is authorized.
Technical Security Mechanisms
Mechanisms both within the organization and in the connectivity to client data. These mechanisms typically deal with Wide Area Network (WAN), remote access, Intranet, Extranet, and Internet access.
Electronic Signature Standard
Electronic signatures are not required in the final Security rule.