Homepage About Us Contact Us Subscribers Account Management Area
Newsletter
Readiness Test
Introduction
History
Regulations
Compliance Dates
Enforcement
Strategies
Downloads
Glossary
Casualty Reports
Implementation Summary
Compliance Example
PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
Requirement
 Implementation Features
Security Responsibility · Appoint a security officer.
· Maintain record of sanctions.
Media Controls

 · Access control.
· Accountability (tracking mechanism).
· Secure data backup.
· Secure data storage.
· Data disposal.
Physical Access Controls

 · Disaster recovery.
· Hardware/software installation & maintenance review and testing for security features.
· Equipment control (into and out of site).
· Inventory.
· Security testing.
· Visitor sign-in.
· Emergency mode operation.
· Need-to-know procedures for personnel access.
Policy/Guideline on Work Station Use · Secure computer when unattended.
· Insure authorized access only.
Secure Work Station Location · Restrict access to need to know.
· Authorization.
Security Awareness Training · Must be maintained and documented properly.
Overview Of Above Requirements
Assigned Security Responsibility

The responsibility for health information security must be assigned to a specific individual, and the assignment must be documented. Responsibilities include the management and supervision of (1) the use of security measures to protect personal health information and (2) the conduct of personnel in relation to the protection of personal health informationa. This assignment is important to provide a focus and importance to security and to pinpoint responsibility.

Media Controls

Media controls are required in the form of formal, documented policies and procedures that govern the receipt and removal of hardware & software (for example, diskettes, tapes, CD's, files and folders) into and out of an office or facility. These controls are important to ensure total control of media containing personal health information. These controls must include the following implementation features:

· Controlled access to media.
· Accountability (a tracking mechanism).
· Secure data backup.
· Secure data storage
· Disposal.

Physical Access Controls

Physical access controls (limiting access) are required. These must be formal, documented policies and procedures for limiting physical access to computers, files and file cabinets while ensuring that properly authorized access is allowed. These controls are extremely important to the security of personal health information and preventing unauthorized physical access to personal health information. It further ensures that authorized personnel have proper access. These controls must include the following implementation features:

· Disaster recovery.
· Emergency mode operation.
· Equipment control (into and out of site).
· An office/facility security plan.
· Procedures for verifying access authorizations prior to physical access.
· Maintenance records.
· Need-to-know procedures for personnel access.
· Sign-in for visitors and escort, if appropriate.
· Testing and revision.

Policy/Guideline on Workstation/Area Use

A policy/guideline on work areas use must be implemented. It must be documented instructions/procedures that delineate the proper functions to be performed and the manner in which those functions are to be performed. (For example, logging off before leaving a terminal unattended.) This is important so that co-workers, employees and visitors will understand the manner in which work areas must be used to maximize the security of health information.

Secure Workstation Location

Physical safeguards must be initiated at computer workstations/areas to eliminate or minimize the possibility of unauthorized access to information in health care provider offices and facilities.

Secure Awareness Training

Security awareness training is required for all health care co-workers, employees, agents, and contractors, and authorized visitors. This is important because everyone needs to understand their security responsibilities based on their job responsibilities and make security a part of their daily activities.
HIPAA Compliance Dates
Standard Compliance Date Extention Date
Transactions and Code Sets 10/16/2003 10/16/2003
Only if application filed
before Oct 15, 2002.
National Provider Identifier Pending Not Applicable
National Employer Identifier Pending Not Applicable
Security Rule 4/20/2005 Not Applicable
Privacy Rule 4/14/2003 Not Applicable
National Health Plan identifier Pending Not Applicable
Claims Attachments Pending Not Applicable
Enforcement Pending Not Applicable
National Individual Identifier Pending Not Applicable
Business Associates 4/14/2003 4/14/2004
Extension applies ONLY to business associates with exisiting business associate contracts made prior to April 14, 2003.
HIPAA Forms
Over 100 Customizable Templates. Includes Privacy and Security policies & procedures, authorizations, checklists and more.
Let's See
Subscriber's
Handbook
Our 'How-To' Guide. A simple roadmap for using our web site for compliance assistance and for satisfying HIPAA's requirements for training all your workforfce members. First time visitors click here.
Let's See
Workforce Training
It's Federal Law. All health care providers workforce members must be trained on HIPAA's Privacy and Security regulations.
Let's See
Training
Documentation
Monitor & Document Workforce Training. Not only is it a HIPAA requirement, but documenting your workforce training is your best bet for reducing your exposure to liabilities associated with breaches of confidentiality of health information.
Let's See
Training Webinars
Our Online HIPAA Privacy/Security Officer and Workforce Training Webinars. Two separate online presentations. One for Privacy & Security Officers and one for workforce members.
Let's See
HIPAA Testing
For Privacy/Secirity Officials and All Workforce Members. Two separate training tests - one for company Privacy/Security Officials and one for workforce members.
Let's See
Implementation
Guidelines
Hundreds of Detailed Privacy & Security Compliance Recomendations. Conveniently categorized for easy use.
Let's See
HIPAA Tutorials
Over 120 Online HIPAA Tutorials. Covering every aspect of HIPAA's Security & Privacy regulations.
Let's See
HIPAA FAQs
Thousands of Frequently Asked Questions. Conveniently categorized answers to over 3000 commonly asked HIPAA questions.
Let's See
HIPAA Directory
Thousands of HIPAA Products & Services. A gigantic HIPAA catalog containing listings of companies offering HIPAA compliant products and services.
Let's See

Read our Web Site Access License Agreement and Privacy Policy

Disclaimer: CAL HIPAA, LLC. obtains its information from sources it believes to be reliable. However, because of the possibility of human and mechanical error as well as other factors, CAL HIPAA, LLC. makes no representations or warranties, express or implied, as to the accuracy or timeliness of its information, and cannot be responsible or liable for any errors or omissions in its information or the results obtained from the use of such information. Information contained on this web site are statements of opinion and not statements of fact or recommendations and do not constitute legal advice. This web site utilizes independent information providers (IIPs) and independent product providers (IPPs). CAL HIPAA, LLC. is not a referral service and does not recommend or endorse any particular IIP or IPP. Rather, CAL HIPAA, LLC. is only an intermediary that provides limited information about IIPs and IPPs. We do not endorse or offer advice regarding the quality or suitability of any product from any IPP, or endorse or offer advice regarding the quality or suitability of any advice from any IIP, or particular provider for any reason, and no information on this Site should be construed as advice or as an endorsement. Users of this site are required to register and to agree, without exception, to our Web Site Access License Agreement. Users are solely responsible for determining whether the information provided on this Site is suitable for their purposes, and reliance on the information is at the user's sole risk. Users should obtain any additional information necessary to make informed decisions.