9 data security practices that HIPAA affects

Published
  • October 26 2017, 4:00am EDT

9 gray areas of HIPAA that should not be ignored

Under the HIPAA security rule, all covered entities must comply with a core set of required standards to secure protected health information. However, covered entities also must conduct a security risk assessment to determine if they need to add additional safeguards and justify through documentation why or why not such safeguards are necessary. This leads to gray areas as entities seek to determine if additional attention should be given to potential remaining vulnerabilities. Scrypt, a vendor of medical imaging, security communications and business operations software and services, lists nine gray areas that organizations should examine and to determine whether they are required or addressable.

1. Unique user identification is required

Assign a unique name and/or number for identifying and tracking user identity.

Content Continues Below

2. Emergency access procedure is required

Establish and implement (as needed) procedures for obtaining necessary electronic protected health information (ePHI) during an emergency.

3. Automatic logoff is addressable

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

4. Encryption and decryption is addressable

Implement a mechanism to encrypt and decrypt ePHI.

Content Continues Below

5. Audit controls are required

Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

6. Integrity mechanisms to authenticate ePHI are addressable

Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

7. Authentication is required

Implement procedures to ensure that the identity of a person or entity seeking access to ePHI is verified.

Content Continues Below

8. Transmission security/integrity controls are addressable

Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection, until that information is disposed of.

9. Transmission security/encryption is addressable

Implement a mechanism to encrypt ePHI whenever it is deemed to be appropriate.