Datica Blog

Assessment Series: HIPAA Security Assessment

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

June 16, 2015   HIPAA Company

In this second entry of our Assessment Series we explore what a HIPAA Risk Assessment is and why it is crucial in ensuring the safe-handling of protected health information (PHI) with the growing dependency on information technology in the Healthcare Industry and the implementation of electronic medical records (EMR).

Back in February of 2009 the HITECH (Health Information Technology for Economic and Clinical Health) Act was passed as an element of the American Recovery and Reinvestment Act to fortify the privacy and safety of PHI by including provisions to the HIPAA Standards. Among the stipulations in HITECH was the HIPAA Security Rule which has requirements organized into three classifications, and within each classification are 18 standards and 36 implementation specifications that are categorized as “Required” or “Addressable”. The Required specifications are crucial and necessities to be implemented; whereas, Addressable specifications are meant for scalable consideration based on individual and entity needs and best practices.

The Three Classifications

1. Administrative Safeguards

These constitute more than half of the HIPAA Security Assessment requirements. As with all three standards, compliance will mandate an evaluation of the security controls in place already, a precise and in-depth analysis, and a succession of documented solutions derived from a multitude of factors unique to each covered body.

These safeguards are broken down as follows:

Standard: Security Management Process

The intent is to create the administrative processes and operations that a covered body will utilize to enact the security program in its environment.

Implementation Specifications

  1. Risk Analysis (Required)
  2. Risk Management (Required)
  3. Sanction Policy (Required)
  4. Information System Activity Review (Required)

Standard: Assigned Security Responsibility

The goal is to recognize who will hold responsibility for ensuring that the covered body abides by the HIPAA Security Rule. There are no implementation standards for this standard.

Standard: Workforce Security

The objective is to identify each workforce member that necessitates access to ePHI and their need, time of need, and how they are going to control access to the information.

Implementation Specifications

  1. Authorization and/or Supervision (Addressable)
  2. Workforce Clearance Procedure (Addressable)
  3. Termination Procedures (Addressable)

Standard: Information Access Management

Meant to restrict access to solely persons with a need for specified ePHI.

Implementation Specifications

  1. Isolating Health Care Clearinghouse Functions (Required)
  2. Access Authorization (Addressable)
  3. Access Establishment and Modification (Addressable)

Standard: Security Awareness and Training

Training for all new and current members of the entity’s staff is mandated by the Security Rule.

Implementation Specifications

  1. Security Reminders (Addressable)
  2. Protection from Malicious Software (Addressable)
  3. Log-in Monitoring (Addressable)
  4. Password Monitoring (Addressable)

Standard: Security Incident Procedures

Implemented to call attention to security occurrences within the covered body’s environment.

Implementation Specifications

  1. Response and Reporting

Standard: Contingency Plan

Necessitates to plan and establish strategies for retrieving access to ePHI if an entity where to experience a crisis or occurrence that disrupts urgent business operations.

Implementation Specifications

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Standard: Evaluation

Requires entities to create a process to review and maintain standard security measures to comply with The Security Rule. There are no implementation specifications for this standard.

Standard: Business Associate Contracts and Other Arrangements

States that covered bodies are required to sign a contract or other agreement that meet the definition of a “business associate.” This standard has no implementation specifications.

2. Physical Safeguards

These safeguards are meant to evaluate and implement all physical access to ePHI.

These are broken down as follows within a HIPAA Security Assessment:

Standard: Facility Access Controls

Enacted to limit the access to the electronic information systems where ePHI is housed.

Implementation Specifications

  1. Contingency Operations (Addressable)
  2. Facility Security Plan (Addressable)
  3. Access Control and Validation Procedures (Addressable)
  4. Maintenance Records (Addressable)

Standard: Workstation Use

Requires that entities clarify the proper uses to be done by electronic computing devices. There are no implementation specifications for this standard.

Standard: Workstation Security

Addresses the operations and procedures for how workstations should be utilized and secured from unauthorized persons. There are no implementation specifications for this standard.

Standard: Device and Media Controls

This covers the correct handling of electronic media including removal, receipt, backup, storage, reuse, disposal, and responsibility.

Implementation Specifications

  1. Disposal (Required)
  2. Media Re-Use (Required)
  3. Accountability (Addressable)
  4. Data Backup and Storage (Addressable)

3. Technical Safeguards

A covered body is mandated to determine the security protocol and specified technologies that are appropriate for implementing in its organization while complying with these safeguards which are broken down according to the HIPAA Security Assessment as follows:

Standard: Access Control

Required to provide/restrict persons with the access necessary for the information systems, applications, programs, or files associated with ePHI.

Implementation Specifications

  1. Unique User Identification (Required)
  2. Emergency Access Procedure (Required)
  3. Automatic Logoff (Addressable)
  4. Encryption and Decryption (Addressable)

Standard: Audit Controls

This standard is meant to be useful for the records and examinations of information system activity, particularly in a security violation.This standard has no implementation specifications.

Standard: Integrity

This standard requires that policies and processes are implemented to protect ePHI from being altered or destroyed.

Implementation Specifications

  1. Mechanism to Authenticate Electronic Protected Health Information(Addressable)

Standard: Person or Entity Authentication

This standard confirms that a person is who they are claiming to be before being granted the access to ePHI. This standard has no implementation specifications.

Standard: Transmission Security

This standard is utilized to guard against those who are not granted permissions to ePHI that is being communicated over electronic means.

Implementation Specifications

  1. Integrity Controls (Addressable)
  2. Encryption (Addressable)

In summary, when doing your own HIPAA Security Assessment, keep in mind that this applies to all media types including oral, paper, and electronic while simultaneously considering integrity, confidentiality, and availability. There are many HIPAA Security Assessment tools and services that have been released but no one is more highly regarded in this space than Datica as a HIPAA compliance authority.

Did you miss our first post in the HIPAA Assessment Series? Check it out here!


Travis Good, MD, CEO and co-founder of Datica and Mark Olschesky, Chief Data Officer, presented on HL7 integration and our HIPAA compliant platform at Open mHealth.

Next Post

At Open mHealth 2015, power-packed speakers spoke about their expertise on topics ranging from FHIR to bringing down the barriers of integration.