• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Transmission Security: What This HIPAA Security Rule Technical Safeguard Standard Means

July 10, 2009 HIPAA Law No Comments

This is the fifth and last Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has two implementation specifications:  integrity controls; and encryption.  Each is addressable.  Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

For compliance with this Technical Safeguard Standard, a covered entity is required to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

In simplest terms, a covered entity must safeguard its electronic networks to ensure the availability and integrity of its electronic protected health information.  How the covered entity implements this safeguard is an outcome of the covered entity’s risk analysis.  A covered entity with only a local network with no connectivity to any entity outside of the covered entity will have a different solution than a covered entity with connectivity to outside entities.  With new federal regulations and incentives focused on increasing interoperability amongst healthcare stakeholders, it will be more and more important for covered entities to protect their networks.  A covered entity should explore options for safeguarding its electronic media by discussing safeguards with its business associate hardware and software vendors.  With open networks, such as the Internet, it is especially important to harden existing systems with up-to-date security software applications, firewalls, and intrusion detection systems.  In earlier postings on data back-up on HIPAA.com, we have discussed the importance of the integrity of electronic protected health information not be impaired by changes or alterations to electronic media.

We recommend that you consult the National Institute of Standards and Technology (NIST) Information Security Special Publication 800-63:  Electronic Authentication Guideline (Version 1.0.2), April 2006, which is available online at here.  This “document provides technical guidance to Federal agencies implementing electronic authentication.  The recommendation covers remote authentication of users over open networks.  It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, authentication protocols and related assertions….  [This guideline] may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright (Attribution would be appreciated by NIST.)”  [Pp. iii-iv]

Tags: 20092010addressableAmerican Recovery and Reinvestment ActARRAauthentication protocolsavailabilitybusiness associateconnectivitycovered entityElectronic Authentication Guidelineelectronic communications networkelectronic mediaelectronic protected health informationFebruary 17firewallshardenhardware and software vendorshealthcare stakeholdersHIPAA Administrative SimplificationHIPAA Security RuleHITECH Actidentity proofingimplementation specificationintegrityInternetinteroperabilityintrusion detection systemlocal networkNational Institute of Standards and TechnologynetworksNISTNIST Special Publication 800-63open networksPresident ObamaregistrationRisk Analysissecurity software applicationsTechnical Safeguard Standardtokenstransmission securityunauthorized access
No Comments
Share
0

You also might be interested in

Physical Safeguard Standards of the HIPAA Administrative Simplification Security Rule

Apr 22, 2009

There are four physical safeguard standards: facility access controls, workstation[...]

CMS Initiates 90-Day Enforcement Discretion for 5010 Compliance

Nov 18, 2011

January 1, 2012, is the date for covered entities to[...]

The Definition of Health Care Operations

May 10, 2009

This posting is one of several that outline the HITECH[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next