Technical Safeguard Standards of the HIPAA Administrative Simplification Security Rule

There are five technical safeguard standards:  access control, audit controls, integrity, person or entity authentication, and transmission security. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

Technical safeguard standards are “the technology and the policies and procedures for its use that protect electronic protected health information and control access to it.” [68 Federal Register 8376]  The Technology Safeguard Standards protect a covered entity’s electronic information assets, including electronic protected health information that is use, disclosed, transmitted, or stored in the covered entity’s electronic environment. The electronic environment includes all computer workstations, laptops, handheld devices, database servers, applications servers, data management systems, and infrastructure devices. Administrative and physical safeguards that we have discussed in earlier postings on HIPAA.com apply to actions that workforce members perform routinely on a daily basis. Technical safeguards apply to actions that are related to software performance.

Over the next two weeks, HIPAA.com will examine the ten implementation specifications for Technical Safeguard Standards. HIPAA.com also will discuss, in the examination of the 10^th implementation specification-encryption-HHS’ “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” issued April 17, 2009, as required under the HITECH Act. Stay tuned.