HIPAA Security Rule Security Controls

Version 2003

The HIPAA Security Rule (45 CFR Part 164) establishes national standards for protecting electronic Protected Health Information (ePHI). It requires covered entities and their business associates to implement administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of ePHI. Any healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically must comply.

Total controls

Critical priority

160h

Est. implementation

Trust service categories

The HIPAA Security Rule is United States federal law (45 CFR Parts 160 and 164) and is in the public domain. Control descriptions authored by AuditRubric.

Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies & Procedures

Administrative Safeguards

9 controls

Policies, procedures, and processes to manage the selection, development, implementation, and maintenance of security measures protecting ePHI and workforce conduct.

Security Management Process

hipaa-as-1

Implement a security management process to prevent, detect, contain, and correct security violations

critical 16h

Assigned Security Responsibility

hipaa-as-2

Designate a security official responsible for developing and implementing security policies and procedures

critical 2h

Workforce Security

hipaa-as-3

Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access

high 6h

Information Access Management

hipaa-as-4

Implement policies and procedures for authorizing access to ePHI

high 6h

Security Awareness and Training

hipaa-as-5

Implement a security awareness and training program for all workforce members

high 8h

Security Incident Procedures

hipaa-as-6

Implement policies and procedures to address security incidents involving ePHI

critical 8h

Contingency Plan

hipaa-as-7

Establish and implement contingency plans to respond to emergencies that damage systems containing ePHI

high 16h

Evaluation

hipaa-as-8

Perform periodic technical and non-technical evaluations of security controls in response to environmental or operational changes

medium 12h

Business Associate Contracts

hipaa-as-9

Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI

critical 6h

Physical Safeguards

4 controls

Physical measures, policies, and procedures to protect electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion.

Facility Access Controls

hipaa-ps-1

Implement policies and procedures to limit physical access to electronic information systems and the facilities where they are housed

high 8h

Workstation Use

hipaa-ps-2

Specify the proper functions to be performed by workstations that access ePHI and the manner in which those functions are to be performed

medium 4h

Workstation Security

hipaa-ps-3

Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users

high 6h

Device and Media Controls

hipaa-ps-4

Implement policies and procedures governing the receipt, removal, and disposal of hardware and electronic media containing ePHI

high 6h

Technical Safeguards

5 controls

Technology and related policies and procedures that protect ePHI and control access to it.

Access Control

hipaa-ts-1

Implement technical policies and procedures to allow access to ePHI only to authorized persons or software programs

critical 8h

Audit Controls

hipaa-ts-2

Implement hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI

high 8h

Integrity

hipaa-ts-3

Implement policies and procedures to protect ePHI from improper alteration or destruction

high 6h

Person or Entity Authentication

hipaa-ts-4

Implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be

critical 6h

Transmission Security

hipaa-ts-5

Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks

critical 8h

Organizational Requirements

1 controls

Requirements for contracts and arrangements with business associates and group health plans that handle ePHI.

Business Associate Contract Requirements

hipaa-or-1

Ensure contracts or other arrangements with business associates meet HIPAA requirements and provide satisfactory assurances of ePHI protection

high 4h

Policies & Procedures

2 controls

Requirements to implement reasonable and appropriate policies and procedures and maintain documentation for six years.

Policy Implementation

hipaa-pp-1

Implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule

high 12h

Documentation

hipaa-pp-2

Maintain written security policies, procedures, and records for six years from creation or last effective date

medium 4h