Know More About HIPAA Security Policy

The main goal of the HIPAA Security Rule is to ensure the protection of Electronic Protection Health Information (EPHI). This also means that it is the mandate of every HIPAA-covered entity including federal agencies to be compliant with the HIPAA Security Rule. The main objective of the HIPAA Security Rule is to ensure the protection of EPHI privacy policies, availability, and integrity in regards to the Security Rule specifications. Therefore, it is the mandate of covered entities to ensure that EPHI created, received, maintained, or transmitted is protected from anticipated use, hazards, threats, and wrongful disclosure at all costs. Some of the covered entities that fall within the Security Rule specifications in terms of standards, implementation processes/procedures, and requirements are:

  1. Covered Health Care Providers— This refers to medical entities and other health-related organizations that handle the use, transmission, or dissemination of EPHI and are under the HHS standards.
  2. Health Plans— This refers to groups or individuals who provide services or oversee cost-related transactions to medical care such as health insurance issues, Medicare, and Medicaid programs.
  3. Health Care Clearinghouses— This refers to third-party entities whether public or private that are responsible for the conversion of the healthcare transaction from non-standard format to standard format or vice-versa.
  4. Medicare Prescription Drug Card Sponsors –This refers to Non-governmental entities that offer endorsed discount programs as specified in the Medicate Modernization Act. This falls under the fourth category of covered entities which will remain effective till the end of the drug program in 2006.

This section does explains, goals, structure and organizations, and identifies the role of the Security Rule Sections.

HIPAA Security Laws: Goals and Objectives

There are different expectations of covered entities in reference to the Security Standards: General Rule’s section in the HIPAA Security Rule which includes:

  1. Maintenance of the integrity, privacy, and availability of ePHI created, received, transmitted, and maintained.
  2. Protection of the ePHI from anticipated hazards and risks that may compromise its security and integrity.
  3. Ensure that protection ePHI from wrongful disclosure or use as specified under the Privacy Rule.

Compliance with this section of the Security Rule will require covered entities to understand the following definitions in regards to integrity, availability, and confidentiality as specified in § 164.304:

  1. Confidentiality: This is any information or data that is withheld from unauthorized people or processes according to HIPAA Security Standards.
  2. Integrity: This refers to the maintenance of any protected information from alterations or distortion using unauthorized processes.
  3. Availability: This ensuring the accessibility of protected information to only authorized persons and processes when demanded.

Security Rule Organization

It would recommendable to under the specification requirements of the HIPAA Security Rule where you will understand the basic terminologies used to define security standards. There are six sections under the HIPAA Security rule section that covers some of the implementation specifications and standards that a covered entity must consider. These sections are:

  1. Security Standards: General Rules -This section refers to all general requirements required by covered entities, which are:
  2. Ensures flexible approaches
  3. Establishing both required and addressable implementation specifications and standards.
  4. Defining some of the decision-making processes needed by covered entities with respect to addressable implementation specifications.
  5. Implementation of different security measures to ensure the protection of ePHI to the required standards.
  1. Administrative Standards – This section refers to all efforts, procedures, and policies that will ensure the implementation, development, maintenance, and selection of relevant security measures to ensure the protection of ePHI demanded by covered entities’ workforce.
  2. Physical Standards – These are the policies, physical measures and procedures used or necessary for the protection of covered entities’ ePHI from possible hazards and unauthorized use or access to it.
  3. Technical Security Measures- These measures specify the use of technology and policies that will enhance protection and access to ePHI.
  4. Organizational Requirements –This section refers to standards and procedures to be used in business associate contracts or related arrangements such as the Memorandum of Understanding (MoU) between covered parties and business associates ensuring adherence to privacy and protection of ePHI.
  5. Policies and Procedures and Documentation Requirements -This section refers to the implementation of Security rule specifications to reasonable and acceptable standards among other requirements, such as: Using policies, procedures, rules, regulations, and action as stipulated under the Security Rule for the maintenance and use of ePHI; and control on the access of ePHI as well.

There are various rules and implementation specifications under the Security Rule which are a key requirement to all covered entities as far as in use and maintenance of ePHI.

There are various implementation specifications under most standards, whereby these implementation specifications are methods and policies that can either be addressable or a requirement for all covered entities. Otherwise, regardless of the nature of the implementation i.e. required or addressable is a standard required from all covered entities:

  1. Required specifications are standards that all covered entities have to adhere to.
  2. On the other hand, an addressable implementation refers to an implementation that a covered entity has to review and assess whether it is necessary to its present environmental hazards. It is after this assessment that a covered entity will determine whether:
    1. To implement the specification
    2. Implement an alternative measure that will ensure the entity is compliant with the specification standards
    3. Not to implement both addressable and alternative measures since they are not appropriate or reasonable within its environment.

Otherwise, which a decision is made it is required that all covered entities document their assessments. On the other hand, when it comes to federal agencies addressable implementation specifications remain relevant and required safeguards due to their resources, size, and mission.

There are at times when there are no particular implementation specifications such as in Evaluation and Assigned Security Responsibility Standards and in such instances, compliance standard related to it is a requirement. For further clarifications on these standard rules, you can send inquiries to the CMS e-mail addressing or reach us through the CMS HIPAA Hotline, 1-866-282-0659 or visit

Safeguards Sections of the Security Rule

Table 1 contains a list of implementation specifications and standards that address the Administrative, Technical, and Physical sections of the security rule.

  1. Column 1 of the table lists the Security Rule standards.
  2. Column 2 indicates the regulatory citation to the appropriate section of the Security Rule where the standard can be found.
  3. Column 3 lists the implementation specifications associated with the standard, if any exist, and designates the specification as required or addressable.

Table 1. HIPAA Security Rule Standards and Implementation Specifications

Standards Sections Implementation Specifications
(R)=Required (A)=Addressable
Administrative Safeguards
Security Management Process 164.308(a)(1) Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2) [None]
Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Information Access Management 164.308(a)(4) Isolating Health Care Clearinghouse Functions (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(5) Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)
Contingency Plan 164.308(a)(7) Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedures (A)
Applications and Data Criticality Analysis A)
Evaluation 164.308(a)(8) [None]
Business Associate Contracts and Other Arrangements 164.308(b)(1) Written Contract or Other Arrangement (R)

Physical Safeguards

Facility Access Controls 164.310(a)(1) Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
Workstation Use 164.310(b) [None]
Workstation Security 164.310(c) [None]
Device and Media Controls 164.310(d)(1) Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)

Technical Safeguards

Access Control 164.312(a)(1) Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Audit Controls 164.312(b) [None]
Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A)
Person or Entity Authentication 164.312(d) [None]
Transmission Security 164.312(e)(1) Integrity Controls (A) Encryption (A)

Business Associates

  1. Covered entities must enter into a contract or other arrangement with business associates similar to the Privacy Rule requirement.
  2. The contract must require the business associate to:
    1. Should implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits;
    2. Should be assured that any agent (including a subcontractor) to whom it provides this information agrees to implement reasonable and appropriate safeguards;
    3. Should report to the covered entity about any security incident of which it becomes aware;
    4. Should make its policies, procedures, and documentation required by the Security Rule relating to such safeguards, available to the Secretary for the purpose of determining the covered entity’s compliance with the regulations; and,
    5. Should authorize termination of the contract by the covered entity if the covered entity determines that the business associate has violated a material term of the contract.
  3. When both the covered entity and the business associate are governmental entities, the regulations contain certain exemptions to the above rules which are: deferring to existing law and regulations and allowing the two organizations to enter into a memorandum of understanding rather than a contract, that contains terms that accomplish the objectives of the business associate contract.

HIPAA Resource:

HIPAA Rule Overview
HIPAA Timelines
HIPAA Penalties

View HIPAA Security Policies and Procedures

Our mission is to provide the highest quality service to achieve your educational goals. We provide our training classes offered in different cities with a flexible training schedule. In case due to a busy schedule, you cannot attend classes, you can buy a self-study kit or attend virtual classroom training.

For more information, please contact us at or call (515) 865-4591.

Adopted from the special publication of NIST 800-26.