Office of Compliance Programs

Information Security Requirements

Security Rule: Notice of Proposed Rule Making for the Security and Electronic Signature Standards

The final Security Rule was published on February 20th, 2003. The deadline for compliance is April 20, 2005. The regulations are very technology neutral. They divided into three areas: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Those marked with (R) are required by the regulations to be implemented. Those marked with (A) can either be implemented or if a more feasible alternative can be identified that achieves the same ends, it can be implemented instead.

Administrative Safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.

Security Management Process

  • Risk Analysis (R)
  • Risk Management (R)
  • Sanction Policy (R)
  • Information System Activity Review (R)

Assigned Security Responsibility (R)

  • Workforce Security
  • Authorization and/or Supervision (A)
  • Workforce Clearance Procedure (A)
  • Termination Procedures (A)

Information Access Management

  • Security Awareness and Training
  • Security Reminders (A)
  • Protection from Malicious Software (A)
  • Log-in Monitoring (A)

Password Management (A)

  • Security Incident Procedures
  • Response and Reporting (R)

Contingency Plan

  • Data Backup Plan (R)
  • Disaster Recovery Plan (R)
  • Emergency Mode Operation Plan (R)
  • Testing and Revision Procedure (A)
  • Applications and Data Criticality Analysis (A)

Evaluation (R)

Business Associate Contracts and Other Arrangement

  • Written Contract or Other Arrangement (R)

Physical Safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Facility Access Controls

  • Contingency Operations (A)
  • Facility Security Plan (A)
  • Access Control and Validation Procedures (A)
  • Maintenance Records (A)

Workstation Use (R)

Workstation Security (R)

Device and Media Controls

  • Disposal (R)
  • Media Re-use (R)
  • Accountability (A)
  • Data Backup and Storage (A)

Technical Safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Access Control /Unique User Identification (R)

  • Emergency Access Procedure (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)

Audit Controls (R)


  • Mechanism to Authenticate Electronic Protected Health Information (A)

Person or Entity Authentication (R)

Transmission Security

  • Integrity Controls (A)
  • Encryption (A)

The Compliance Office is located on the 8th Floor of the Resource Center, New Orleans, Louisiana.