HIPAA Security Series: Security Standards: Implementation for The Small Provider

February 10, 2008

What is the Security Series?

The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule titled “Security Standards for the Protection of Electronic Protected Health Information,” found at 45 CFR Part 160 and Part 164, Subparts A and C, commonly known as the Security Rule. The Security Rule was adopted to implement a provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The series contains seven papers, each focused on a specific topic related to the Security Rule (see left panel). The papers are designed to give HIPAA covered entities insight into the Security Rule and to assist them with implementation of the standards. This series explains specific requirements (provisions of the rule), and possible ways to address those provisions.

CMS recommends that all covered entities read the first paper in this series, “Security 101 for Covered Entities” before reading the other papers. The first paper clarifies important Security Rule concepts that will help covered entities as they plan for implementation and maintain an ongoing security program. This seventh paper in the series is devoted to implementation of the Security Rule standards, implementation specifications and requirements as they relate to covered entities that are sole practitioners or otherwise considered small providers. It assumes the reader has a basic understanding of the Security Rule.


Identity theft, stolen computer disks, malfunctioning computers, hackers, and other preventable losses of information – these are just a few of the hazards facing all businesses that receive, store, and transmit data in electronic form. Many health care providers too face these same hazards. Much of the electronic protected health information (EPHI) they hold is critical to their business and vital to the care of their patients. Providers face major problems if their patient’s sensitive information is stolen, misused, or unavailable.

The HIPAA Security Standards provide a structure for covered entities (health plans, clearinghouses, or covered health care providers) to develop and implement policies and procedures to guard against and react to security incidents. The Security Rule provides a flexible, scalable and technology neutral framework to allow all covered entities to comply in a manor that is consistent with the unique circumstances of their size and environment.

All covered entities must comply with the applicable standards, implementation specifications, and requirements of the Security Rule with respect to EPHI (see 45 C.F.R § 164.302.). Small providers that are covered entities have unique business and technical environments that provide both opportunities and challenges related to compliance with the Security Rule. As such, this paper provides general guidance to providers such as physicians and dentists in solo or small group practices, small clinics, independent pharmacies, and others who may be less likely to have IT staff and whose approach to compliance would generally be very different from that of a large health care system. It is important to note however, that this paper does not define a small provider, nor does it prescribe specific actions that small providers must take to become compliant with the Security Rule.

The objectives of this paper are to:

Help small providers understand the Security Rule standards, implementation specifications, and requirements as they relate to their organization.

Provide sample questions and scenarios that small providers may want to consider when addressing the Security Rule requirements.

Reference industry resources that provide additional information regarding compliance with the Security Rule.

Security Rule Overview for Small Providers

To understand the requirements of the Security Rule, it is helpful to be familiar with the basic concepts that comprise the security standards and implementation specifications. The Security Rule is divided into six main sections – each representing a set of standards and implementation specifications that must be addressed by all covered entities. Each Security Rule standard is a requirement: a covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits or maintains.

Many of the standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach covered entities can use to meet a particular standard. Implementation specifications are either required or addressable. Regardless of whether a standard includes one or more implementation specifications, covered entities must comply with each standard. Where there is no implementation specification for a particular standard, such as the “Workstation Use” and “Person or Entity Authentication” standards, compliance with the standard itself is required.

  • A required implementation specification is similar to a standard, in that a covered entity must comply with it. For example, all covered entities including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.
  • For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, a covered entity decides if it will implement the addressable implementation specification; implement an equivalent alternative measure that allows the entity to comply with the standard; or not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment. Covered entities are required to document these assessments and all decisions. For example, all covered entities including small providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.31 2(a)( 1) of the Security Rule.
  • Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Using This Resource

The tables and sample questions provided here relate to the Administrative, Technical and Physical Safeguard requirements from the Security Rule and are relevant for small providers seeking to evaluate and/or establish EPHI security practices. The tables and sample questions in this document do not represent a complete list of Security Rule requirements, but provide insight into the key HIPAA Security requirements applicable to a small provider.

Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Standard Sample Implementation Sample Question
  (R)= Required, (A)= Addressable  
SECURITY RISK ANALYSIS (R) Have you identified the
MANAGEMENT § 1 64.308(a) (1) (ii) (A) EPHI within your
PROCESS “Conduct an accurate and thorough organization? This
§ 164.308(a)(1) assessment of the potential risks and includes EPHI that you
“Implement policies and procedures to prevent, detect, contain and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by create, receive, maintain or transmit. Please note that EPHI may be resident on
correct security violations.” the covered entity.” computer workstations, servers or on portable devices such as laptops, and PDAs.
RISK MANAGEMENT (R) What security
§164.308(a) (1) (ii)(B) measures are
“Implement security measures already in place to
sufficient to reduce risks and protect EPHI –
vulnerabilities to a reasonable and this can be a
appropriate level to comply with comprehensive
§164.306(a).” view of allmeasures, whether administrative, physical or

technical, such as an over arching security policy; door locks to rooms where EPHI is stored; or the use of password-protected files.


Standard Sample Implementation Specifications(R)= Required, (A)= Addressable Sample Question
SANCTION POLICY (R) § 1 64.308(a) (1) (ii) (C) Have you developed, applied and implemented
“Apply appropriate sanctions against policies specific to
workforce members who fail to comply violations of the security
with the security policies and policies and procedures? If
procedures of the covered entity.” so, do they provide appropriate sanctions for workforce members who fail to comply with your security policies and procedures? (i.e., have you included your sanction policy in your workforce manual and trained your staff on the policy?)
WORKFORCE AUTHORIZATION AND/OR Are the procedures used by
SECURITY SUPERVISION (A) your workforce consistent
§ 164.308(a)(3)(i) § 1 64.308(a) (3) (ii) (A) with your access policies
“Implement policies and “Implement procedures for the (i.e., do people who should
procedures to ensure authorization and/or supervision of have access actually have
that all members of its workforce members who work with that access? Are people
workforce have electronic protected health information who should not have
appropriate access to or in locations where it might be access prevented from
electronic protected accessed.” accessing the
health information, and to prevent thoseworkforce members who do not have access from obtaining access to

electronic protected

health information.”



Standard Sample Implementation Sample Question
(R)= Required, (A)= Addressable
AWARENESS AND 164.308(a)(5)(ii)(D) training address topics
TRAINING “Implement procedures for creating, such as not sharing
§ 164.308(a) (5) (i) changing, and safeguarding passwords with other
“Implement a security passwords.” workforce members or not
awareness and training writing down passwords
program for all members and leaving them in open
of its workforce (includingmanagement).” areas?
§ 164.308(a) (7) (i) § 1 64.308(a) (7) (ii) (A) identify all sources of
“Establish (and “Establish and implement procedures EPHI that must be backed
implement as needed) to create and maintain retrievable up such as patient
policies and procedures for responding to an exact copies of electronic protected health information.” accounting systems, electronic medical or
emergency or other health records, digital
occurrence (for example, fire, vandalism, system recordings of diagnostic images, electronic test
failure, and natural results, or any other
disaster) that damages electronic documents
systems that contain created or used that
electronic protected health information.” contain EPHI?


Standard Sample Implementation Sample Question
(R)= Required, (A)= Addressable
ASSOCIATE ARRANGEMENTS (R) in place with outside
CONTRACTS AND § 1 64.308(b) (4) entities entrusted with
OTHER “Document the satisfactory assurances health information
ARRANGEMENTS required by this section through a generated by your
§ 164.308(b)(1) written contract or other arrangement office? If so, do the
“A covered entity may with the business associate that meets contracts provide
permit a business the applicable requirements of assurances that the
associate to create, receive, maintain, or § 164.314(a) [(the Business Associate Contracts or Other Arrangements information will be properly safeguarded?
transmit electronic Standard)].”
protected health For example, if you
information on the contract with a
covered entity’s behalf software vendor for
only if the covered entity your practice
obtains satisfactory assurances that the management system, what assurances do
business associate will you have that the
appropriately safeguard vendor’s products are
the information.” HIPAA compliant?

Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Standard Sample Implementation Sample Question
(R)= Required, (A)= Addressable
CONTROLS 164.310(a)(2)(ii) policies and
§ 164.3 10(a)(1) “Implement policies and procedures to procedures identify
“Implement policies and safeguard the facility and the controls to prevent
procedures to limit equipment therein from unauthorized unauthorized physical
physical access to its electronic information physical access, tampering, and theft.” access, tampering, and theft of EPHI?
systems and the facility These could include
or facilities in which they locked doors, signs
are housed, while warning of restricted
ensuring that properly areas, surveillance
authorized access is cameras, alarms, and
allowed.” identificationnumbers and security cables on computers.
§ 1 64.310(a) (2) (iv) implemented policies
“Implement policies and procedures to and procedures that
document repairs and modifications to specify how repairs
the physical components of a facility and modifications to a
which are related to security (for building or facility
example, hardware, walls, doors and will be documented to
locks).” demonstrate that the
EPHI is protected?


Standard Sample Implementation Sample Question
(R)= Required, (A)= Addressable
WORKSTATION USE This standard does not have Do your office
§ 164.310(b) corresponding implementation policies and
“Implement policies and specifications. However, compliance procedures specify the
procedures that specify with the standard itself is required (R). use of additional
the proper functions to security measures to
be performed, the protect workstations
manner in which those with EPHI, such as
functions are to be performed, and the using privacy screens, enabling password
physical attributes of the protected screen
surroundings of a savers or logging off
specific workstation or class of workstation that can access electronic protected healthinformation.” the workstation?
DEVICE AND MEDIA DISPOSAL (R) Does your office have
CONTROLS § § 164.310(d)(2)(i) a method of
164.3 10(d)(1) “Implement policies and procedures to destroying EPHI on
“Implement policies and address the final disposition of equipment and media
procedures that govern electronic protected health you are no longer
the receipt and removal of hardware and information, and/or the hardware or electronic media on which it is stored.” using? For example, have you considered
electronic media that purchasing hard drive
contain electronic erasure software for a
protected health planned upgrade of
information into and out of a facility, and themovement of these items office computers?
within the facility.” (A) process in place to
§ 1 64.310(d) (2) (iv)“Create a retrievable, exact copy of create a retrievable, exact copy of EPHI
electronic protected health before the equipment
information, when needed, before on which it is stored
movement of equipment.” is moved?

Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

Standard Sample Implementation Sample Question
(R)= Required, (A)= Addressable
164.312(a)(1) (R) process in place to
“Implement technical § 1 64.312(A) (2) (I) assign each user of
policies and procedures “Assign a unique name and/or your system a unique
for electronic information systems that number for identifying and tracking user identity.” user identifier? If so, can the identifier be
maintain electronic used to track user
protected health activity within
information to allow information systems
access only to those that contain EPHI?
persons or software This may or may not
programs that have been be reasonable or
granted access rights as appropriate for a solo
specified in § clinician where access
1 64.308(a) (4)) has been granted to all
[(Information Access office staff.


Standard Sample Implementation Specifications(R)= Required, (A)= Addressable Sample Question
AUTOMATIC LOGOFF (A) Do your current
§ 164.312(a) (2) (iii) information systems
“Implement electronic procedures that have an automatic
terminate an electronic session after a logoff capability to
predetermined time of inactivity.” ensure that unauthorized users donot access data on unattended workstations?
PERSON OR ENTITY This standard does not have Does your system
AUTHENTICATION corresponding implementation require the input of
§ 164.312(d) specifications. However, compliance something known
“Implement procedures to with the standard itself is required (R). only to the person or
verify that a person or entity entity seeking access
seeking access to electronic to EPHI, (such as a
protected health information is password or PIN)
the one claimed.” prior to granting the requested access?
SECURITY § 164.3 12(e)(2)(ii) required risk analysis,
§ 164.3 12(e)(1) “Implement a mechanism to encrypt is encryption needed
“Implement technical security electronic protected health information to protect the
measures to guard against whenever deemed appropriate.” transmission of EPHI
unauthorized access to between your office
electronic protected health and outside
information that is being transmitted over an electronic organizations? If not, what measures do you
communications network.” have in place toensure the protection of this information?
Some small providers might considerpassword protection of documents or files containing EPHI

and/or prohibiting the transmission of EPHI via email.

Additional Requirements

Please note also that the Security Rule contains organizational and documentation requirements that must be addressed by all covered entities. Organizational requirements include standards for business associate contracts and other arrangements, including memoranda of understanding between a covered entity and a business associate when both entities are government organizations; and requirements for group health plans. Policies, procedures, and documentation requirements address how each of the requirements are documented, reviewed, updated and communicated to the workforce.

In Summary

Information security is a necessity in today’s world. Preventing unauthorized use of sensitive health information is a core goal of every participant in the health care industry. The Security Rule allows covered entities, including small providers, to implement reasonable and appropriate measures that enable them to comply with the Rule. The scalable, flexible and technology neutral principles of the Rule allow covered entities to comply in a manner consistent with the complexity of their particular operations and circumstances. Small covered healthcare providers should use this paper and other applicable resources to review and maintain their Security Rule compliance efforts.


Covered entities should periodically check the CMS website at: http://www.cms.hhs.gov/SecurityStandard/ for additional HIPAA security information and resources as they work through the security implementation process. While CMS does not endorse guidance provided by other organizations, covered entities may also want to check with other local and national professional health care organizations, such as national provider and health plan associations for additional information. Consider obtaining and reviewing the resources available through the Workgroup for Electronic Data Interchange (WEDI), at www.wedi.org. WEDI has numerous white papers and educational resources aimed at all types of covered entities, and many directed specifically to the smaller physician office. The National Institute of Standards and Technology (NIST) at www.nist.gov also has a wide range of documents and resources to assist to entities in understanding how to comply with the spirit of the regulation

Previous post:

Next post: