4 Security Standards: Technical Safeguards
Volume 2 / Paper 4 3 5/2005: rev. 3/2007
NOTE: For more information
on Information Access
Management, see paper 2 in
this series, “Security Standards
– Administrative Safeguards.”
NOTE: A covered entity must
establish a balance between
the identifiable risks and
vulnerabilities to EPHI, the cost
of various protective measures
and the size, complexity, and
capabilities of the entity, as
provided in § 164.306(b)(2).
measures such as technology solutions. In addition, the
results of the required risk analysis and risk management
processes at §§ 164.308(a)(1)(ii)(A) & (B) will also assist the
entity to make informed decisions regarding which security
measures to implement.
The Security Rule does not require specific technology
solutions. In this paper, some security measures and technical solutions are provided as examples
to illustrate the standards and implementation specifications. These are only examples. There
are many technical security tools, products, and solutions that a covered entity may select.
Determining which security measure to implement is a decision that covered entities must make
based on what is reasonable and appropriate for their specific organization, given their own
unique characteristics, as specified in § 164.306(b) the Security Standards: General Rules,
Flexibility of Approach.
Some solutions may be costly, especially for smaller covered
entities. While cost is one factor a covered entity may
consider when deciding on the implementation of a particular
security measure, it is not the only factor. The Security Rule
is clear that reasonable and appropriate security measures
must be implemented, see 45 CFR 164.306(b), and that the
General Requirements of § 164.306(a) must be met.
Access Control
The Security Rule defines access in § 164.304 as “the ability or the means necessary to read,
write, modify, or communicate data/information or otherwise use any system resource. (This
definition applies to “access” as used in this subpart, not as used in subpart E of this part [the
HIPAA Privacy Rule]).” Access controls provide users with rights and/or privileges to access
and perform functions using information systems, applications, programs, or files. Access
controls should enable authorized users to access the minimum necessary information needed to
perform job functions. Rights and/or privileges should be granted to authorized users based on a
set of access rules that the covered entity is required to
implement as part of § 164.308(a)(4), the Information Access
Management standard under the Administrative Safeguards
section of the Rule.
The Access Control standard requires a covered entity to:
NOTE: For more information
about Risk Analysis and Risk
Management, see paper 6 in
this series, “Basics of Risk
Analysis and Risk
Management.”