technical safeguards, security (HIPAA)

HIPAA's Security Rule divides its protections into three "safeguard" categories: technical (discussed here), administrative and physical. Each safeguard category includes various standards and implementation specifications.

The Rule defines technical safeguards as "the technology and the policy and procedures for its use that protect electronic protected health information [PHI] and control access to it." Earlier versions of the Rule further divided the category into "technical security mechanisms" and "technical security services."

The technical safeguards standards and specifications are presented in the matrix below. (For more information on a particular standard, follow the link in the left column.) Note that the listing is very generic, reflecting the regulation's aims of "technology neutrality" and "scalability."

Standard(s) CFR section

Implementation Specification
(r)=required; (a)=addressable

access control 164.312 (a)(1) unique user identification (r)
emergency access procedure (r)
automatic logoff (a)
encryption and decryption (a)
audit controls 164.312(b) (r)
integrity 164.312(c)(1) mechanism to authenticate electronic PHI (a)
person or entity authentication 164.312(d) (r)
transmission security 164.312(e)(1) integrity controls (a)
encryption (a)

Source: Appendix A to Subpart C of Part 164

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine