3 Components of HIPAA Security Standards Regarding Electronic Health Information

Administrative

• Electronic health records require administrative safeguards that ensure secure access by only designated and approved individuals. HIPAA dictates that covered entities delegate security responsibility to specific individuals and minimize access to private health information. Access is protected through security management processes, information access management, password management, contingency planning and associate contractual arrangements.

Physical

• Electronic health records and related systems must be protected from threats, environmental hazards and unauthorized access to data. Physical safeguards restrict access to electronic private health information to certain authorized individuals and ensure electronic record back-up on a secure, off-site computer system. Covered entities must enforce facility access controls, workstation use and security and data back-up and storage procedures.

Technical

• Automated processes must be implemented to protect private health information and control access to data using authentication controls. These automated processes ensure that only approved and qualified individuals have access to the data. HIPAA requires entities to establish access controls, execute audit controls, implement data integrity checks, create authentication procedures and enforce transmission security measures to ensure security and data integrity.