Understanding HIPAA Privacy and Security –Part III

In the first and second part of this article, we explored the privacy and security aspects of the Health Insurance Portability and Accountability Act or HIPAA. We delved upon the security rule and the three types of security safeguards namely administrative, physical and technical safeguards. Of the three safeguards, we had a look at the administrative safeguards and its required as well as addressable implementation specifications.In the third and final part of this article, we will examine the technical and physical safeguards of the security rule.


Physical Safeguards

Physical safeguards of the HIPAA/HITECH  act deals with the policies and procedures that need to be adopted and implemented to control physical access to systems or devices containing health information and facilities housing electronic records.


Utmost care must be taken when introducing and removing hardware and software that deals with Protected Health Information (PHI) from the network. Equipment that are on the verge of retirement must be disposed off properly so that PHI contained within such systems are not compromised.

  • Ensure that access to equipment that contain health information is controlled and monitored vigilantly.

  • Ensure that those who access hardware and software are individuals with proper authentication.

  • Implement facility security plans, maintenance records and visitor sign-in and within system centres that contain protected health information.

  • Ensure that the workstations are not in high traffic areas and the monitor screens are not in direct view of the public.

  • The covered entities that take the services of contractors and agents must ensure that the contractors and agents are fully trained and aware of their responsibilities.


Implementation Specifications

In this Physical Safeguards category, there are eight Implementation Specifications. Of the eight specifications, two are required and six are addressable. For instance, it is required to remove all data and images from CDs and DVDs prior to reuse.


Technical Safeguards

It deals with those measures that need to be implemented when transmitting health information electronically over open networks so that the health information do not fall into wrong hands.

  • When transmitting information over open networks encryption must be carried out as set out in standards. However, if the information flows over closed networks then the existing access controls may be more than enough.

  • Covered entities must take all possible measures to ensure data integrity and this includes digital signature, check sum, message authentication, and double keying.

  • Implement procedures to authenticate that the entity that is accessing the electronic records is the one it claims to be. This includes token systems, password systems, telephone call back, and two or three way handshakes.

  • Document all policies implemented and practices followed for HIPAA compliance that needs to be made available to the compliance auditors when required.


Implementation Specifications

Of the seven Implementation Specifications, two are required and five are addressable. For instance, it is required that every individual who accesses the computer system has a unique user identification name or number.


The importance of ensuring healthcare compliance cannot be undermined; it is required to safeguard Protected Health Information.

Processing your request, Please wait....

Leave a Reply