Transmission Security: What This HIPAA Security Rule Technical Safeguard Standard Means

This is the fifth and last Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has two implementation specifications:  integrity controls; and encryption.  Each is addressable.  Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

For compliance with this Technical Safeguard Standard, a covered entity is required to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

In simplest terms, a covered entity must safeguard its electronic networks to ensure the availability and integrity of its electronic protected health information.  How the covered entity implements this safeguard is an outcome of the covered entity’s risk analysis.  A covered entity with only a local network with no connectivity to any entity outside of the covered entity will have a different solution than a covered entity with connectivity to outside entities.  With new federal regulations and incentives focused on increasing interoperability amongst healthcare stakeholders, it will be more and more important for covered entities to protect their networks.  A covered entity should explore options for safeguarding its electronic media by discussing safeguards with its business associate hardware and software vendors.  With open networks, such as the Internet, it is especially important to harden existing systems with up-to-date security software applications, firewalls, and intrusion detection systems.  In earlier postings on data back-up on HIPAA.com, we have discussed the importance of the integrity of electronic protected health information not be impaired by changes or alterations to electronic media.

We recommend that you consult the National Institute of Standards and Technology (NIST) Information Security Special Publication 800-63:  Electronic Authentication Guideline (Version 1.0.2), April 2006, which is available online at here.  This “document provides technical guidance to Federal agencies implementing electronic authentication.  The recommendation covers remote authentication of users over open networks.  It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, authentication protocols and related assertions….  [This guideline] may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright (Attribution would be appreciated by NIST.)”  [Pp. iii-iv]