hipaa security standards n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA Security Standards PowerPoint Presentation
Download Presentation
HIPAA Security Standards

Loading in 2 Seconds...

play fullscreen
1 / 18

HIPAA Security Standards - PowerPoint PPT Presentation

  • Uploaded on

HIPAA Security Standards. What’s happening in your office?. Agenda. Industry Statistics Review Rules Assessment -What needs to be done? Physical and Technical Safeguards Technical terminology Next Steps Questions – Open Discussion. Statistics. Statistics.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA Security Standards' - devaki

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa security standards

HIPAA Security Standards

What’s happening in your office?

  • Industry Statistics
  • Review Rules
  • Assessment -What needs to be done?
  • Physical and Technical Safeguards
  • Technical terminology
  • Next Steps
  • Questions – Open Discussion
security standards

Security Standards

Required or Addressable

hipaa security standards1
HIPAA Security Standards
  • Administrative Safeguards (55%)
    • 12 required, 11 Addressable
  • Physical Safeguards (24%)
    • 4 required, 6 Addressable
  • Technical Safeguards (21%)
    • 4 required, 5 Addressable

The final rule has been modified to increase

Flexibility as to how protection is accomplished.

addressable implementation specifications
Addressable Implementation Specifications
  • Covered entities must assess if an implementation specification is reasonable and appropriate based upon factors such as:
    • Risk analysis and mitigation strategy
    • Costs of implementation
    • Current security controls in place
  • Key concept: “reasonable and appropriate”
  • Cost is not meant to free covered entities from their security responsibilities
addressable implementation specifications1
Addressable Implementation Specifications

“In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following:

a. Implement one or more of the addressable implementation specifications;

b. Implement one or more alternative security measures;

c. Implement a combination of both; or

d. Not implement either an addressable implementation specification or an alternative security measure.”

Must document!



  • Refers to techniques for ensuring that data stored in a computer cannot be read or compromised. Most security measures involve data encryption and passwords. Data encryption is the translation of data into a form that is unintelligible without a deciphering mechanism. A password is a secret word or phrase that gives a user access to a particular program or system.


  • A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

There are several types of firewall techniques:

  • Packet filter: Looks at each packetentering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
  • Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
  • Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
  • Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
  • In practice, many firewalls use two or more of these techniques in concert.
  • A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.


  • Short for virtual private network, a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Antivirus program

  • A utility that searches a hard disk for viruses and removes any that are found. Most antivirus programs include an auto-update feature that enables the program to download profiles of new viruses so that it can check for the new viruses as soon as they are discovered.

Secure server

  • A Web server that supports any of the major security protocols, like SSL, that encrypt and decrypt messages to protect them against third party tampering. Making purchases from a secure Web server ensures that a user's payment or personal information can be translated into a secret code that's difficult to crack. Major security protocols include SSL, SHTTP, PCT, and IPSec.
next steps
Next Steps
  • Assign responsibility to one person
  • Conduct a risk analysis
  • Deliver security awareness in conjunction with privacy
  • Develop policies, procedures, and documentation as needed
  • Review and modify access and audit controls
  • Establish security incident reporting and response procedures
helpful sites
Helpful sites:
  • www.hipaadvisory.com– Phoenix Health System
  • www.himss.org– Health Information Management Systems Society
  • www.sans.org/resources/policies/- SysAdmin, Audit, Networks, Security Institute
  • www.hipaacomply.com - Beacon Partners
  • www.cms.gov/hipaa/- Center for Medicare and Medicaid Services
  • www.aha.org– American Hospital Association
  • www.aamc.org/members/gir/gasp/- Guidelines for Academic Medical Centers on Security and Privacy
  • http://dirm.state.nc.us.hipaa.hippa2002/security/security.html- North Carolina DHHS HIPAA