Homepage About Us Contact Us Subscribers Account Management Area
Newsletter
Readiness Test
Introduction
History
Regulations
Compliance Dates
Enforcement
Strategies
Downloads
Glossary
Casualty Reports
Implementation Summary
Compliance Example
TECHNICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
Requirement

Implementation Features
Technical Access Controls

The following implementation feature must be implemented:

Procedure for emergency access.

In addition, at least one of the following three implementation features must be implemented:

Context-based access,
Role-based access,
User-based access.

The use of encryption is optional.

 · Context-based access.
· User-based access.
· Procedure for emergency access.
· Role-based access.
· Encryption.
Audit Control · Log records.
· Transaction dates and associates.
Authorization Control

At least one of the listed implementation features must be implemented.

· Role-based access.
· User-based access.
Data Authentication Control

 · Digital signatures.

Entity Authentication Control
The following implementation features must be implemented:

Automatic logoff, Unique user identification.

In addition, at least one of the other listed implementation features must be implemented.

· Automatic logoff.
· Biometric.
· Password
· PIN.
· Telephone callback.
· Token.
· Unique user identification.
Overview Of Above Requirements
Technical Access Controls

Access control must be restricted to resources and allow access only by privileged individuals and entities. Limit access to personal health information to those employees who have a business need to access it. Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, classification, and subject-object separation. Data backup and offsite storage in encrypted form is strongly recommended. The following implementation feature must be used:

· Procedure for emergency access.

In addition, at least one of the following three implementation features must be used:

· Context-based access.
· Role-based access.
· User-based access.

Audit Control

Audit control mechanisms must be put into place to record and examine all computer activity. This is important to identify suspect data access activities, assess its security program, and respond to potential weaknesses.

Authentication Control

A mechanism must be put into place for obtaining patient consent for the use and disclosure of personal health information. This is necessary to ensure that personal health information is used only by properly authorized individuals. Either of the following implementation features may be used:

· Role-based access.
· User-based access. (see Access control, above)

Data Authentication Control

A system must be put into effect that would corroborate that personal health information has not been altered or destroyed in an unauthorized manner. This could include the use of a check sum, double keying, a message authentication code, or a digital signature.

User/Entity Authentication

User/Entity authentication control must be implemented. This is important to corroborate that a user or entity is who it claims to be. This prevents the improper identification of a user or entity who is accessing secure data. The following implementation features could be used:

· Automatic log off.
· Unique user identification.

In addition, at least one of the following implementation features must be used:

· A biometric identification system.
· A password system.
· A personal identification number (PIN).
· Telephone callback.
· A token system which uses a physical device for user identification.

HIPAA Compliance Dates
Standard Compliance Date Extention Date
Transactions and Code Sets 10/16/2003 10/16/2003
Only if application filed
before Oct 15, 2002.
National Provider Identifier Pending Not Applicable
National Employer Identifier Pending Not Applicable
Security Rule 4/20/2005 Not Applicable
Privacy Rule 4/14/2003 Not Applicable
National Health Plan identifier Pending Not Applicable
Claims Attachments Pending Not Applicable
Enforcement Pending Not Applicable
National Individual Identifier Pending Not Applicable
Business Associates 4/14/2003 4/14/2004
Extension applies ONLY to business associates with exisiting business associate contracts made prior to April 14, 2003.
HIPAA Forms
Over 100 Customizable Templates. Includes Privacy and Security policies & procedures, authorizations, checklists and more.
Let's See
Subscriber's
Handbook
Our 'How-To' Guide. A simple roadmap for using our web site for compliance assistance and for satisfying HIPAA's requirements for training all your workforfce members. First time visitors click here.
Let's See
Workforce Training
It's Federal Law. All health care providers workforce members must be trained on HIPAA's Privacy and Security regulations.
Let's See
Training
Documentation
Monitor & Document Workforce Training. Not only is it a HIPAA requirement, but documenting your workforce training is your best bet for reducing your exposure to liabilities associated with breaches of confidentiality of health information.
Let's See
Training Webinars
Our Online HIPAA Privacy/Security Officer and Workforce Training Webinars. Two separate online presentations. One for Privacy & Security Officers and one for workforce members.
Let's See
HIPAA Testing
For Privacy/Secirity Officials and All Workforce Members. Two separate training tests - one for company Privacy/Security Officials and one for workforce members.
Let's See
Implementation
Guidelines
Hundreds of Detailed Privacy & Security Compliance Recomendations. Conveniently categorized for easy use.
Let's See
HIPAA Tutorials
Over 120 Online HIPAA Tutorials. Covering every aspect of HIPAA's Security & Privacy regulations.
Let's See
HIPAA FAQs
Thousands of Frequently Asked Questions. Conveniently categorized answers to over 3000 commonly asked HIPAA questions.
Let's See
HIPAA Directory
Thousands of HIPAA Products & Services. A gigantic HIPAA catalog containing listings of companies offering HIPAA compliant products and services.
Let's See

Read our Web Site Access License Agreement and Privacy Policy

Disclaimer: CAL HIPAA, LLC. obtains its information from sources it believes to be reliable. However, because of the possibility of human and mechanical error as well as other factors, CAL HIPAA, LLC. makes no representations or warranties, express or implied, as to the accuracy or timeliness of its information, and cannot be responsible or liable for any errors or omissions in its information or the results obtained from the use of such information. Information contained on this web site are statements of opinion and not statements of fact or recommendations and do not constitute legal advice. This web site utilizes independent information providers (IIPs) and independent product providers (IPPs). CAL HIPAA, LLC. is not a referral service and does not recommend or endorse any particular IIP or IPP. Rather, CAL HIPAA, LLC. is only an intermediary that provides limited information about IIPs and IPPs. We do not endorse or offer advice regarding the quality or suitability of any product from any IPP, or endorse or offer advice regarding the quality or suitability of any advice from any IIP, or particular provider for any reason, and no information on this Site should be construed as advice or as an endorsement. Users of this site are required to register and to agree, without exception, to our Web Site Access License Agreement. Users are solely responsible for determining whether the information provided on this Site is suitable for their purposes, and reliance on the information is at the user's sole risk. Users should obtain any additional information necessary to make informed decisions.