The Security Rule does not require specific technology solutions for providers but HHS does give some general guidance (see Security Standards: Technical Safeguards for more in depth info)
HHS specifically addresses 5 HIPAA technical standards and PCS has grouped our general recommendations for how to address each of these standards:
1. Access control – the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. Examples include:
- Require unique and complex username and passwords for each staff member
- Use Automatic logoff
- Use of screen lock when not physically as the workstation
- Use of encryption and decryption (encrypt any hard drives with patient data)
- Isolate Wi-Fi off main network (One Wi-Fi for patients and separate secure Wi-Fi for staff)
- Confirm HIPAA security compliance for any remote access software or use a VPN
- Establish procedures for obtaining necessary electronic information during an emergency
2. Audit controls – Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information
- Make sure that the EHR systems and router tracks user activity
3. Integrity – Implement policies and procedures to protect electronic protected health
information from improper alteration or destruction
- Use cloud based backup
- Keep operating systems updated
- Keep antivirus updated
- Implement access controls to limit staff use of internet
4. Person or Entity Authentication – Implement procedures to verify that a person or entity seeking access to electronic information is who they claim to be
- Make sure workstations and servers require pins or passwords to access
5. Transmission Security – Implement technical security measures to guard against unauthorized access to electronic information that is being transmitted over an electronic communications network
- Make sure and data transmitted is secure (secure email, secure patient portals)
