Security Compliance


By now, you know about the HIPAA Privacy Rule — federal standards that protect our fundamental right to privacy and confidentiality. The Department of Health and Human Services (HHS) issued a second set of federal standards to protect health information in electronic form. It’s called the HIPAA Security Rule.

This course outlines the basics of the Rule and some of the security safeguards that may affect the way you do your job.

Security Basics

  • Breaches in security can lead to breaches in the HIPAA Privacy Rule — which is enforceable now
  • Experts point out that 164.530 of the Privacy Rule requires covered entities to take reasonable measures to secure all protected health information — including PHI in electronic form

Let’s look at who and what is protected by the Security Rule, so you’re not opening the door to privacy concerns.

The Security Rule protects:

  • Confidentiality of electronic PHI, termed ePHI
  • The integrity of ePHI — meaning once ePHI is created, it can’t be tampered with
  • Availability of ePHI, so it can only be accessed by people with the authority to do so whenever it’s needed

Like the Privacy Rule, health information is protected when it contains personal information that connects the patient to the information, such as:

  • Patient’s name and address
  • Social security number
  • Billing information
  • Physician’s notes

The Security Rule is divided into three parts. Together, they cover the policies, procedures, processes and systems you need to protect ePHI from the time it’s created to its disposal, and all parts in between. 

Administrative Safeguards

Administrative safeguards are carried out by executive teams and managers and the designated HIPAA Security Official who has ultimate responsibility for your facility’s security program. They work as a team to conduct on-going risk analyses, called security audits, and create formal policies and procedures to safeguard all ePHI.

Administrative safeguards include:

  • Rules on workplace security such as who can access ePHI and who cannot, and who has limited access, such as contractors or vendors
  • Detection systems to detect, correct and prevent security breaches
  • Security incident policies on how to handle violations and security breaches, for example, your facility’s internal processes for reporting security concerns and infractions.
  • Contingency plans that outline how to respond in emergencies or natural disasters that damage ePHI
  • Backup systems off-site that can be retrieved quickly in the event of an emergency or Disaster
  • On-going evaluations and audits to make sure your facility is in compliance with the Security Rule and stays that way

In some cases, new policies may not be necessary. You may just need to document what you’ve been doing all along, and how it meets the security requirements.

A word about computer passwords

  • Never share your password with anyone or they could breach security in your name
  • When you share a password, you allow another person to use your access
  • Some facilities discipline or terminate for this lack of responsibility

If someone is terminated:

  • An employee with access to your facility network could potentially sabotage or leave behind code to destroy or disrupt ePHI security
  • When someone is terminated, steps are taken to lock that person out of the system before damage occurs

Physical Safeguards

Physical safeguards cover protection of physical things such as computer systems and high tech equipment as well as the facility where ePHI is stored. They include:

  • Physical access controls to limit access of ePHI and make sure authorized persons can access data when they need it
  • For example, passwords to log on to your computer and access ePHI — that are changed regularly, so they do not fall into the wrong hands
  • PIN numbers and IP tracking systems, to validate who is accessing ePHI
  • Unique user IDs and Biometric screenings, like fingerprints, to verify that the person trying to log on to the computer is who he or she claims to be
  • Facility access controls to protect areas where ePHI is housed
  • Parking restrictions to control access to certain areas of the facility
  • Security guards and personnel identification verification, such as ID badges and nametags
  • Sign-in sheets for visitors and escorts when necessary
  • Device and media controls to ensure the security of ePHI when moving or disposing of hardware or software — both inside and outside of your facility
  • Workstation guidelines to secure areas where ePHI is accessed and guard against unauthorized access, including laptops, tablets and Smartphones on and off-site
  • Automatic log-off, so terminals log-off when you leave your desk. Workstations located away from public areas

Wireless technology poses a risk to ePHL

  • Someone with the right skills and network scanner can obtain wireless ePHI
  • Follow facility rules about access to wireless technology

Technical Safeguards

Technical safeguards include all the technology that makes physical safeguards possible. In most cases, your IT department will put these systems in place, but you may be using the software. They include:

  • Access controls for electronic systems that hold ePHI to make sure people with access rights can access data when they need it
  • Integrity controls to protect ePHI from alteration or destruction, like virus-checking software to protect equipment from malicious software
  • Transmission safeguards to protect ePHI transmitted over an open networks from intruders
  • Encryption, for instance, to convert ePHI into a secret code for transmission over public networks
  • Used for email documents containing ePHI and for highly confidential web browser sessions between patients and physicians
  • When received, data is decoded and turned back into plain text
    • Authentication policies to verify if the people logging on to the system are who they claim to be
    • Digital signatures or message authentication codes to make sure stored ePHI is not tampered with or destroyed
    • Monitoring systems to track who’s logging into the system successfully, and who’s trying to log in unsuccessfully
    • Internal system audits and controls to track and record daily activity in information systems to look for abnormal or suspicious behavior
    •  Instant reporting systems, such as alarms, to alert the administration of possible intruders.

Security Walkthrough

  • Never leave laptops, tablets or Smartphones in your car, both can be a target for would-be intruders
  • Log off when you walk away from your workstation
  • Become familiar with your facility’s policies on changing passwords, and never give anyone your password — including someone who says they are from IT, no one ever needs your password to fix a computer
  • Never open an email attachment unless you know who sent it, email attachments are the most common way for viruses to infect an entire network
  • Never download or use software given to you, even if you know who it came from, all software must be approved by IT
  • Become familiar with your computer anti-virus system, so you can inform IT to a virus alert
  • Safeguard computer-generated faxes just like you safeguard ePHI
  • Report any security incidents or violations where a business associate is not following appropriate procedures, or you or your facility will be held responsible


The HIPAA Privacy Rule got us started. HIPAA Security fills in any security gaps:

  •  Don’t wait to make security a part of your daily routine
  •  Be vigilant and use your professional judgment to protect ePHI


Congratulations - you have completed HIPAA TRAINING - Security QUIZ. You scored %%SCORE%% out of %%TOTAL%%. Your performance has been rated as %%RATING%% %%FORM%%

HIPAA TRAINING - Security Compliance

Please fill this form out to submit and receive your quiz results via email.

If you are using Internet Explorer: There is a bug in IE that will prevent this page from reloading upon submission, please hit submit and wait 20 seconds. You can then navigate away from this page.

ACKNOWLEDGEMENT OF TRAINING I have read and understand the training, Security Compliance. I acknowledge that by filling out this form and hitting submit, I am signing electronically.

  • Please enter your EpilepsyU username. (This just might be your facebook name if you joined with facebook)
  • This field is for validation purposes and should be left unchanged.
Your answers are highlighted below.
Shaded items are complete.