Contributed by Lee Kim, Esquire or 412.594.3915

1)  Access control under 45 C.F.R. §312(a).

Policies and procedures must be implemented for information systems that maintain ePHI to ensure that only those persons or software programs that have been granted access rights.

In particular, a unique user identification must be assigned to each user for the purpose of identifying and tracking that user.

Policies and procedures must also be established and implemented as needed for obtaining necessary ePHI during an emergency (e.g., natural or manmade disaster). Key considerations include what situations would require emergency access to ePHI and which people would require emergency access to ePHI in an emergency situation.

* Automatic logoff after a period of inactivity and encryption/decryption of ePHI may be addressed and implemented to ensure access control.

1)      Access control vis-a-vis individuals and software programs for access to electronic protected health information (“ePHI”) under 45 C.F.R. §312(a).


2)      Audits on access to electronic protected health information (“ePHI”) under 45 C.F.R. §312(b).

a.      The audits may be manual or automated. The purpose of the audits is to ensure that authorized individuals or entities are accessing the ePHI.

3)      Person/entity authentication under 45 C.F.R. §312(d).

a.      Procedures must be implemented to ensure that the individual or entity accessing the ePHI is authorized to do so (e.g., passwords, swipe cards, etc.).

4)      Integrity of ePHI under 45 C.F.R. §312(c)(1).*

a.      Electronic mechanisms should be implemented to ensure that ePHI has not been altered or destroyed in an unauthorized manner.

                                                               i.      Regardless of whether the ePHI is being retrieved, transmitted, or stored, technical safeguards must be in place to ensure that there is no alteration nor destruction of the data (e.g., digitally signed ePHI, checksum or other error correction technology to ensure that ePHI is stored properly, etc.).

5)      Secure transmission of ePHI under 45 C.F.R. §312(e)(1).*

a.      A technical security measure must be implemented to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network (e.g., VPN, SSL, encryption, etc.).

5)      Encryption of ePHI under 45 C.F.R. §312(e)(2)(ii).*


* The entity should assess whether the technical safeguard is reasonable and appropriate in the operating environment and whether it is likely to contribute to protecting the entity’s ePHI. If the safeguard is reasonable and appropriate, then it should be implemented. If not, the entity should document why it would not be reasonable and appropriate and implement an equivalent alternative measure, if deemed to be reasonable and appropriate.



Please feel free to contact me if you would like assistance in applying the HIPAA security rules to your current situation as a covered entity or a business associate. I may be reached at <> or by calling 412-594-3915.