6 Safeguards Required By The Hipaa Security Rule

By Greg Garner

In 1996, the United States Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), a federal law that seeks to ensure the security and privacy of a patient’s health care information. HIPAA applies to pretty much the entire health care industry of the United States. Among the entities that HIPAA covers are health care providers such as doctors and pharmacists, health plans such as health insurance companies and some government programs that pay for health care, and health care clearinghouses that process nonstandard health information they receive from another entity into a standard one.

Included in the federal law is the Security Rule, which established national standards that will be used to protect any electronic personal health information (e-PHI) that entities covered by HIPAA create, receive, use, or maintain.

The Security Rule requires covered entities such as health care providers and health plans to put in place appropriate administrative, physical, and technical safeguards that work to ensure that the confidentiality, security, and integrity of any e-PHI they handle. The following information outlines the technical and physical safeguards that the HIPAA Security Rule requires.


1. Access Control.

Organizations, companies, and professionals covered by HIPAA are required by the Security Rule to implement technical policies and procedures that control access to e-PHI. Access to these protected records must be limited to authorized persons only.

2. Audit Controls.

Covered entities must also have procedural mechanisms as well as hardware and software protections that will let them record and examine activity in systems that contain or use e-PHI. These mechanism will be used to record and review activity such as who accesses e-PHI and when.

3. Integrity Controls.

Covered entities are also required by the HIPAA Security rule to implement electronic measures that prevent against unauthorized tampering with e-PHI. These policies and procedures are used to ensure and confirm that patient information is not improperly altered or destroyed.

4. Transmission Security.

Since there are technologies that can gain unauthorized access to information while it is being transferred or transmitted electronically, the HIPAA Security Rule requires covered entities to put in place technical security measures in order to prevent such incidents.

5. Facility Access and Control.

Aside from ensuring that there are electronic safeguards to ensure that any electronically stored information is kept secure, the Security Rule also requires covered entities to make sure that physical access to its facilities is limited only to authorized personnel.

6. Workstation and Device Security.

In addition to electronic safeguards, covered entities must implement policies and procedures that specify how to properly use and access the workstations and electronic media that they use to store e-PHI. Covered entities must also establish policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure that the information within them stays secure and protected.

The technical and physical safeguards outlined above not only work to keep private patient information secure and confidential, they are also equally important in making sure that HIPAA covered entities stay out of trouble with the government.

About the Author: For more information please visit our

HIPAA Training




Permanent Link: