General HIPAA Guidelines including Administrative rights and remote access

Written on Feb 5, 2020
Do the standards of the Security Rule require use of specific technologies?


No. The Security standards were designed to be "technology neutral" in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. Any regulatory requirement for implementation of specific technologies would bind the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements.

As outlined above;

HIPAA does not outline any specific rule or regulation in reference to the usage of Administrative, Elevated permissions, software, backups or other standards of the Security Rule requirements, most generalized policies are those set forth by your organisation while some topics might violate internal audit or policy, it DOES NOT violate HIPAA regulations so long as the basis of HIPAA - Protecting the confidentiality, integrity and availibility from unauthorized access, transmission etc..

General Rules

  • The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

    Specifically, covered entities must:

    1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
    2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
    3. Protect against reasonably anticipated, impermissible uses or disclosures; and
    4. Ensure compliance by their workforce.

Security 101 for Covered Entities

Health Information Technologies FAQ

Other Helpful HHS HIPAA Topics.

Administrative Safeguards

Security Standards: Physical SafeGaurds

Security Standards: Technical SafeGaurds

Organizational, Policies and Procedures and Documentation Requirements

Implementation for the Small Provider

Remote Access

Vatech America recommends if your organization or IT dept. requires Vatech Remote support or its Agents to remotly access be 'Authorized' - Vatech recommends you contact your local rep to establish a BAA between your organization and Vatech America Inc.

Basics of Security Risk Analysis and Risk Management

RISK MANAGEMENT (R) - § 164.308(a)(1)(ii)(B)

Risk Management is a required implementation specification. It requires an organization
to make decisions about how to address security risks and vulnerabilities. The Risk
Management implementation specification states that covered entities must:

“Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to comply with

Risk management is the process used to identify and implement security measures to
reduce risk to a reasonable and appropriate level within the covered entity based on the
covered entity’s circumstances. The measures implemented to comply with this required
implementation specification must also allow the covered entity to comply with  164.306(a)

of the Security Standards: General Rules. Covered entities will want to
answer some basic questions when planning their risk management process.

Security Standards: Administrative Safeguards
Volume 2 / Paper 2 5 5/2005: rev. 3/2007
164.306(a) of the Security Standards:

General Rules. Covered entities will want to answer some basic questions when planning their risk management process.

Sample questions for covered entities to consider:

  •  What security measures are already in place to protect EPHI (i.e.,safeguards)?
  •  Is executive leadership and/or management involved in risk management and mitigation decisions?
  •  Are security processes being communicated throughout the organization?
  •  Does the covered entity need to engage other resources to assist in risk management?

In general, a covered entity will want to make sure itsrisk management strategy takes into account the characteristics of its environment including the
factors at § 164.306(b)(2). These factors will help the covered entity to determine what potential security measuresare reasonable and appropriate for its environment.

Regardless of the Administrative Safeguards a covered entity implements, those safeguards will
not protect the EPHI if the workforce is unaware of its role in adhering to and enforcing them.
Many security risks and vulnerabilities within covered entities are internal. This is why the next
standard, Security Awareness and Training, is so important.
Specifically, the Security Awareness and Training standard states that covered entities must:
“Implement a security awareness and training program for all members of
its workforce (including management).”

Security training for all new and existing members of the covered entity’s workforce is required
by the compliance date of the Security Rule. In addition, periodic retraining should be given
whenever environmental or operational changes affect the security of EPHI. Changes may
include: new or updated policies and procedures; new or upgraded software or hardware; new
security technology; or even changes in the Security Rule.

The Security Awareness and Training standard has four implementation specifications.

1. Security Reminders (Addressable)
2. Protection from Malicious Software (Addressable)
3. Log-in Monitoring (Addressable)
4. Password Management (Addressable)


Legacy / Unsupported Devices & Systems and HIPAA

How to keep our Legacy Device HIPAA Compliant.


Windows Compatibility Guides

Windows 7 Compatibility Guide

Windows 10 Compatibility Guide

Related Tags

Counts indicate more articles with the same tags

Related Products

Counts indicate more articles with the same products