Do the standards of the Security Rule require use of specific technologies?
No. The Security standards were designed to be "technology neutral" in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. Any regulatory requirement for implementation of specific technologies would bind the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements.
As outlined above;
HIPAA does not outline any specific rule or regulation in reference to the usage of Administrative, Elevated permissions, software, backups or other standards of the Security Rule requirements, most generalized policies are those set forth by your organisation while some topics might violate internal audit or policy, it DOES NOT violate HIPAA regulations so long as the basis of HIPAA - Protecting the confidentiality, integrity and availibility from unauthorized access, transmission etc..
Security 101 for Covered Entities
Health Information Technologies FAQ
Other Helpful HHS HIPAA Topics.
Security Standards: Physical SafeGaurds
Security Standards: Technical SafeGaurds
Organizational, Policies and Procedures and Documentation Requirements
Implementation for the Small Provider
Vatech America recommends if your organization or IT dept. requires Vatech Remote support or its Agents to remotly access be 'Authorized' - Vatech recommends you contact your local rep to establish a BAA between your organization and Vatech America Inc.
Basics of Security Risk Analysis and Risk Management
RISK MANAGEMENT (R) - § 164.308(a)(1)(ii)(B)
Risk Management is a required implementation specification. It requires an organization
to make decisions about how to address security risks and vulnerabilities. The Risk
Management implementation specification states that covered entities must:
“Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to comply with
Risk management is the process used to identify and implement security measures to
reduce risk to a reasonable and appropriate level within the covered entity based on the
covered entity’s circumstances. The measures implemented to comply with this required
implementation specification must also allow the covered entity to comply with 164.306(a)
of the Security Standards: General Rules. Covered entities will want to
answer some basic questions when planning their risk management process.
Security Standards: Administrative Safeguards
Volume 2 / Paper 2 5 5/2005: rev. 3/2007
164.306(a) of the Security Standards:
General Rules. Covered entities will want to answer some basic questions when planning their risk management process.
Sample questions for covered entities to consider:
- What security measures are already in place to protect EPHI (i.e.,safeguards)?
- Is executive leadership and/or management involved in risk management and mitigation decisions?
- Are security processes being communicated throughout the organization?
- Does the covered entity need to engage other resources to assist in risk management?
In general, a covered entity will want to make sure itsrisk management strategy takes into account the characteristics of its environment including the
factors at § 164.306(b)(2). These factors will help the covered entity to determine what potential security measuresare reasonable and appropriate for its environment.
Regardless of the Administrative Safeguards a covered entity implements, those safeguards will
not protect the EPHI if the workforce is unaware of its role in adhering to and enforcing them.
Many security risks and vulnerabilities within covered entities are internal. This is why the next
standard, Security Awareness and Training, is so important.
Specifically, the Security Awareness and Training standard states that covered entities must:
“Implement a security awareness and training program for all members of
its workforce (including management).”
Security training for all new and existing members of the covered entity’s workforce is required
by the compliance date of the Security Rule. In addition, periodic retraining should be given
whenever environmental or operational changes affect the security of EPHI. Changes may
include: new or updated policies and procedures; new or upgraded software or hardware; new
security technology; or even changes in the Security Rule.
The Security Awareness and Training standard has four implementation specifications.
1. Security Reminders (Addressable)
2. Protection from Malicious Software (Addressable)
3. Log-in Monitoring (Addressable)
4. Password Management (Addressable)
Legacy / Unsupported Devices & Systems and HIPAA
How to keep our Legacy Device HIPAA Compliant.
Windows Compatibility Guides
Windows 7 Compatibility Guide
Windows 10 Compatibility Guide