HIPAA > Security
Security Standards

The proposed HIPAA security regulations establish a minimum framework of standard procedures for ensuring the protection of all individually identifiable health information that is maintained, transmitted or received in electronic form. These standards guard the integrity, confidentiality, and availability of electronic data. The safeguards are intended to protect data from accidental or intentional release to unauthorized persons, and from alteration, destruction or loss. For more information on the proposed HIPAA security standards, visit the DHHS website.

The standards fall into four categories:

Administrative Procedures

Policies and procedures must be implemented and documented in each of these twelve areas:

  • Training programs in security management and process issues
  • Formal data processing protocols
  • Formal protocols for controlling access to data
  • Internal audit procedures
  • Certification of data systems for compliance with DHHS security standards
  • Chain of Trust agreements with covered entities with whom we exchange electronic information
  • Contingency plan to ensure continuity and preservation of data in the event of an emergency
  • Security features for initial clearance of all personnel who have access to health information along with ongoing supervision, training and monitoring of this personnel
  • Security configuration management procedures such as virus checking, hardware and software systems review, and documentation
  • Specific procedures when personnel terminate employment
  • Security management structure that maintains continual risk assessment and sanction policies and procedures


Physical Safeguards

Data and data systems must be physically protected from intrusion and environmental hazards via seven basic elements:

  • Designation of a specific person for responsibility of security
  • Controlling access to and altering of computer hardware
  • Enforcement of “need to know” clearances
  • Implementation of work station security activities
  • Development of disaster/intrusion response and recovery plans
  • Maintenance of security records
  • Implementation of identity verification procedures for personnel in order to physically access sites


Technical Security Services

Software control and procedures regarding stored data include these requirements:

  • Providing for internal audits and controls within data systems
  • Control access by users through authentication
  • Ensure that stored data is neither altered nor inappropriately accessed/processed
  • Allow data access to particular privilege classes of personnel, including during crises


Technical Security Mechanisms

These requirements relate to accessed data and the transmission of stored data, to ensure that data cannot easily be accessed, intercepted or interpreted by unauthorized third parties. These proposed procedures include:

  • Validation that stored data being transmitted is accurate
  • Validation that received data is identical to sent data
  • Data transmissions either encrypted or controlled by a dedicated, secure line. If transmissions are not encrypted, DHHS would also require three elements:
    • Alarms to signal abnormal communication conditions
    • Automatic recording of audit trail information
    • A method for authentication of the entity receiving the data



Building 1, 2nd Floor, Room 2435

Main (301) 319-4775
Privacy Hot Line: (301) 319-8802
FOIA Hotline : (301) 295-8903

Hours of Operation
Monday thru Friday
0800 - 1600