HDM-102517-HIPAA.jpg
9 gray areas of HIPAA that should not be ignored
Under the HIPAA security rule, all covered entities must comply with a core set of required standards to secure protected health information. However, covered entities also must conduct a security risk assessment to determine if they need to add additional safeguards and justify through documentation why or why not such safeguards are necessary. This leads to gray areas as entities seek to determine if additional attention should be given to potential remaining vulnerabilities. Scrypt, a vendor of medical imaging, security communications and business operations software and services, lists nine gray areas that organizations should examine and to determine whether they are required or addressable.
1.HIPAA Gray Show AdobeStock_138159342.jpeg
1. Unique user identification is required
Assign a unique name and/or number for identifying and tracking user identity.
2. HIPAA Gray Show AdobeStock_175334579.jpeg
2. Emergency access procedure is required
Establish and implement (as needed) procedures for obtaining necessary electronic protected health information (ePHI) during an emergency.
3. HIPAA Gray Show AdobeStock_86959129.jpeg
3. Automatic logoff is addressable
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
4. HIPAA Gray Show AdobeStock_177117121.jpeg
4. Encryption and decryption is addressable
Implement a mechanism to encrypt and decrypt ePHI.
5. HIPAA Gray Show AdobeStock_83638895.jpeg
5. Audit controls are required
Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
6. HIPAA Gray Show AdobeStock_98882863.jpeg
6. Integrity mechanisms to authenticate ePHI are addressable
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
7. HIPAA Gray Show AdobeStock_2902058.jpeg
7. Authentication is required
Implement procedures to ensure that the identity of a person or entity seeking access to ePHI is verified.
8. HIPAA Gray Show AdobeStock_165814367.jpeg
8. Transmission security/integrity controls are addressable
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection, until that information is disposed of.
9. HIPAA Gray Show AdobeStock_90394392.jpeg
9. Transmission security/encryption is addressable
Implement a mechanism to encrypt ePHI whenever it is deemed to be appropriate.