9 gray areas of HIPAA that should not be ignored
Under the HIPAA security rule, all covered entities must comply with a core set of required standards to secure protected health information. However, covered entities also must conduct a security risk assessment to determine if they need to add additional safeguards and justify through documentation why or why not such safeguards are necessary. This leads to gray areas as entities seek to determine if additional attention should be given to potential remaining vulnerabilities. Scrypt, a vendor of medical imaging, security communications and business operations software and services, lists nine gray areas that organizations should examine and to determine whether they are required or addressable.
1. Unique user identification is required
Assign a unique name and/or number for identifying and tracking user identity.
2. Emergency access procedure is required
Establish and implement (as needed) procedures for obtaining necessary electronic protected health information (ePHI) during an emergency.
3. Automatic logoff is addressable
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
4. Encryption and decryption is addressable
Implement a mechanism to encrypt and decrypt ePHI.
5. Audit controls are required
Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
6. Integrity mechanisms to authenticate ePHI are addressable
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
7. Authentication is required
Implement procedures to ensure that the identity of a person or entity seeking access to ePHI is verified.
8. Transmission security/integrity controls are addressable
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection, until that information is disposed of.
9. Transmission security/encryption is addressable
Implement a mechanism to encrypt ePHI whenever it is deemed to be appropriate.