The technical safeguards portion of the HIPAA focuses on regulations for the technology with access to ePHI. These security standards were designed to be 'technology neutral.' This section can easily be split into five main categories;
- Access Control
- Audit Controls
- Transmission Security
After breaking down these five categories, you will find that there are nine specific things which need to be implemented from this section.
- Unique User Identification (required): A name or number unique to each user should be assigned and never shared between users.
- Emergency Access Procedure (required): Create (and perform as needed) a set of procedures for obtaining necessary ePHI during an emergency situation.
- Automatic Logoff (addressable): Electronic procedures or a program to terminate a software session once a predetermined amount of idle time has passed should be implemented.
- Encryption and Decryption (addressable): Implement a system for the encryption and decryption of ePHI.
Audit Controls (required)
- Implement software/hardware mechanisms to record and monitor activity within systems containing ePHI.
- Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms which will verify that ePHI has not been changed or tampered with without the proper authorization to do so.
- Procedures and programs should exist which will verify that the current user is who they claim to be.
- Integrity Controls (addressable): Security measures should be in place which will ensure that any ePHI which has been electronically transmitted is not tampered with or altered.
- Encryption (addressable): Implement the encryption of ePHI which is to be transmitted whenever applicable.
By breaking down the original four categories in this section, it becomes easier to manage making the technical aspects of your business HIPAA compliant. No two situations are exactly the same, and if you are unsure about your business being non-compliant and would like professional feedback on the matter, feel free to contact us at our website.