Information Security Requirements
Security Rule: Notice of Proposed Rule Making for the Security and Electronic Signature Standards
The final Security Rule was published on February 20th, 2003. The deadline for compliance is April 20, 2005. The regulations are very technology neutral. They divided into three areas: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Those marked with (R) are required by the regulations to be implemented. Those marked with (A) can either be implemented or if a more feasible alternative can be identified that achieves the same ends, it can be implemented instead.
Administrative Safeguardsare administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
Security Management Process
Assigned Security Responsibility (R)
Information Access Management
Password Management (A)
Business Associate Contracts and Other Arrangement
Physical Safeguardsare physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
Facility Access Controls
Workstation Use (R)
Workstation Security (R)
Device and Media Controls
Technical Safeguardsmeans the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Access Control /Unique User Identification (R)
Audit Controls (R)
Person or Entity Authentication (R)
The Compliance Office is located on the 8th Floor of the Resource Center, New Orleans, Louisiana.