🏥

Health Insurance Portability and Accountability Act Security Rule

US federal law that establishes national standards to protect electronic personal health information (ePHI). Covers administrative, physical, and technical safeguards.

4 critical13 high4 medium
164.312(a)(1)high

Access Control — Unique User Identification

Assign a unique name and/or number for identifying and tracking user identity.

164.312(a)(2)(iv)high

Access Control — Encryption and Decryption

Implement a mechanism to encrypt and decrypt ePHI.

164.312(b)high

Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in systems containing ePHI.

164.312(d)critical

Person or Entity Authentication

Implement procedures to verify that a person seeking access to ePHI is the person claimed.

164.312(e)(1)high

Transmission Security

Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic networks.

164.308(a)(1)HIPAA-308-001critical

Security Management Process — Risk Analysis

Conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI confidentiality, integrity, and availability.

164.308(a)(3)HIPAA-308-003high

Workforce Security

Implement policies and procedures to ensure all workforce members have appropriate access to ePHI and prevent those who shouldn't from gaining access.

164.308(a)(4)HIPAA-308-004high

Information Access Management

Implement policies and procedures for authorizing access to ePHI consistent with HIPAA's minimum necessary standard.

164.308(a)(5)HIPAA-308-005medium

Security Awareness and Training

Implement a security awareness and training program for all workforce members.

164.308(a)(6)HIPAA-308-006critical

Security Incident Procedures

Identify and respond to suspected or known security incidents; mitigate harmful effects; document incidents and outcomes.

164.308(a)(7)HIPAA-308-007high

Contingency Plan

Establish and implement policies and procedures for responding to emergencies or other occurrences (e.g., fire, vandalism, system failure, natural disaster) that damage ePHI systems.

164.308(b)(1)HIPAA-308-B-001high

Business Associate Contracts

Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI; document via Business Associate Agreement (BAA).

164.310(a)HIPAA-310-001medium

Facility Access Controls

Implement policies and procedures to limit physical access to ePHI systems and the facility in which they are housed.

164.310(d)HIPAA-310-D-001high

Device and Media Controls

Implement policies and procedures governing the receipt and removal of hardware/electronic media containing ePHI into and out of the facility.

164.312(b)HIPAA-312-B-001high

Audit Controls

Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

164.314(a)HIPAA-314-001high

Business Associate Technical Requirements

Establish written contracts requiring business associates to comply with HIPAA Security Rule technical requirements equivalent to the covered entity.

164.316(a)HIPAA-316-001medium

Policies and Procedures

Implement reasonable and appropriate policies and procedures to comply with HIPAA Security Rule standards and implementation specifications.

164.316(b)HIPAA-316-002medium

Documentation Retention

Retain HIPAA documentation for 6 years from date of creation or last effective date, whichever is later.

164.402HIPAA-402-001high

Breach Definition + Risk Assessment

Determine whether an impermissible use or disclosure constitutes a breach requiring notification via the 4-factor risk assessment.

164.404HIPAA-404-001critical

Patient Notification of Breach

Notify affected individuals of a breach of unsecured PHI within 60 days of discovery.

164.406HIPAA-406-001high

Media Notification for Large Breaches

For breaches affecting 500+ individuals in a state/jurisdiction, notify prominent media outlets in that state/jurisdiction within 60 days.