HIPAA Safeguards: Administrative - Physical - Technical

The HIPAA Security Final Rule features three categories with Required (R) and Addressable (A) implementations. Here is what that means to you.

Required implementation specifications are mandatory if your organization is a covered entity

Administrative

The foundation on which the other two standards depend.

These specifications are Required (R).

• Performing Risk analysis
• Risk management
• Development and publication of policies
• Determination of procedure and guidelines
• Personnel security requirements
• Security training

Physical

Protect a covered entities electronic information systems, related buildings and equipment for natural, environment hazards and unauthorized intrusion

These specifications are Required (R).

• Workstation use
• Workstation security
• Device and media disposal
• Device and media reuse

Technical

Technology and the policy and procedures for its use that protect ePHI and control access to it.

These specifications are Required (R).

• Unique user identification
• emergency access procedure
• Audit controls - Access Rights
• Person or entity authentication