General Rules-Chapter 10

What must covered entities (CEs) demonstrate regarding electronic protected health information (ePHI)?

CEs must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.

What should CEs protect ePHI against?

CEs must protect ePHI against reasonably anticipated threats or hazards to the security or integrity of ePHI.

How is the HIPAA Security Rule described in terms of flexibility?

The HIPAA Security Rule is flexible, scalable, and technology neutral, allowing CEs to adopt appropriate and reasonable security measures.

What should be considered when determining security measures for a CE?

Consider the size, complexity, and capabilities of the CE, technical infrastructure, security measure costs, and probability of potential risks.

What does scalable mean in the context of the HIPAA Security Rule?

It means the Security Rule accommodates CEs of any size.

What are implementation specifications in the HIPAA Security Rule?

They define how standards are to be implemented, and can be required or addressable.

What action must a CE take if it decides against encrypting PHI?

The CE must document why encryption is not reasonable and appropriate and implement an equivalent alternative method.

What are administrative safeguards?

Documented formal practices to manage data security measures throughout the CE.

What is the purpose of a security management process for CEs?

To create, maintain, and oversee the development of security policies and procedures and conduct risk analysis.

Who must each CE designate regarding security responsibility?

Each CE must designate a security official to oversee security measures.

What should the information access management program include?

Policies and procedures to determine who should have access to what information.

What must CEs provide to their workforce regarding security?

Security awareness and training for all members of the workforce.

What does the contingency plan for CEs include?

Policies for responding to emergencies or failures in systems that contain ePHI, including data backup and disaster recovery plans.

What do physical safeguards protect against?

They protect hardware, software, and data from natural and environmental hazards.

What are facility access controls?

Policies and procedures to manage the physical security of a facility.

What must CEs do regarding business associate contracts?

CEs must require business associates to appropriately safeguard information and receive assurances that they will do so.