HIPAA
HIPAA Security Rule (45 CFR Part 164, Subpart C)
The US rule setting administrative, physical and technical safeguards to protect electronic protected health information (ePHI). Combined with the Breach Notification Rule, it governs healthcare data security.
Who it applies to
US healthcare 'covered entities' (health plans, healthcare clearinghouses and most healthcare providers) and their 'business associates' that create, receive, maintain or transmit electronic protected health information (ePHI).
Administrative safeguards
- §164.308(a)(1) Security management process7 mapped
Implement policies to prevent, detect, contain and correct security violations, including a risk analysis and risk management.
- §164.308(a)(6) Security incident procedures13 mapped
Implement policies and procedures to identify, respond to, mitigate and document security incidents.
Technical safeguards
- §164.312(a)(1) Access control16 mapped
Allow access to ePHI only to authorized persons or software through unique IDs, emergency access, automatic logoff and encryption.
- §164.312(b) Audit controls11 mapped
Implement mechanisms to record and examine activity in systems that contain or use ePHI.
- §164.312(e)(1) Transmission security15 mapped
Guard against unauthorized access to ePHI transmitted over networks, including integrity controls and encryption.