Information for the Practitioner
Technical safeguards include:
- Access control
- Audit controls
- Integrity
- Person or entity authentication
- Transmission security
More details about each of these safeguards is included below. Any implementation specifications are noted. Remember: Addressable specifications are not optional. Practitioners must assess the need to implement these specifications.
Access Control
Allow access to ePHI only to those granted access rights.
Implementation specifications include:
- Assign a unique user identifier to identify and track user activity. (Required)
- Have procedures for getting to ePHI during an emergency. (Required)
- Set up systems to automatically log off a workstation. (Addressable)
- Use a system to encrypt and decrypt ePHI. (Addressable)
- Note: Under the Interim Final Rule [PDF] regarding breach notification (45 CFR Parts 160 and 164), required access controls alone do not meet the statutory standard of "rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals" and therefore a breach of such access controls would require breach notification; this is in contrast to data encryption which would render data unusable—interception of encrypted data would not require a breach notification (page 42741–42).
Audit Controls
Must have a system to record and examine all ePHI activity.
No implementation specifications.
Integrity
Must protect ePHI from being altered or destroyed improperly.
Implementation specifications include:
- Authenticating ePHI - confirm that ePHI has not been altered or destroyed in an unauthorized way. (Addressable)
Person or entity authentication
Must verify that a person who wants access to ePHI is the person they say they are.
No implementation specifications.
Transmission security
Must guard against unauthorized access to ePHI that is transmitted electronically.
Implementation specifications include:
- Protect ePHI from being altered without detection. (Addressable)
- Encrypt ePHI whenever deemed appropriate. (Addressable)
- Encryption is the primary method of achieving this for data in motion and data at rest.
- Encryption is "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key" (page 42742).
- The Security Rule is "technology neutral" so no specific information about encryption strength is included; Advanced Encryption Standards (AES) [PDF] used by the Federal Government currently use 128-, 192- or 256-bit keys.
- Decryption tools should be stored in a separate location from the data.
The Breach Notification Interim Final Rule cites the following NIST publications that describe valid encryption processes: