| TIP: HIPAA Technical Safeguards Profile

HIPAA Technical Safeguards Profile, v1.0

Profile of the requirements in the HIPAA Technical Safeguards section (164.312) by collecting all the relevant TIPs and TDs.

Identifier

https://artifacts.trustmarkinitiative.org/lib/tips/hipaa-technical-safeguards-profile/1.0/

Publication Date

2017-02-17

Issuing Organization

Trustmark Initiative (https://trustmarkinitiative.org/) View Contact

Trustmark Support

help@trustmarkinitiative.org

555-555-5555

No Mailing Address

Keywords

There are no keywords.

Legal Notice

This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Tree View
Details View

Trust Expression:

TD_AccessControlPoliciesandProceduresforePHI and TD_AccessControlUniqueUserIdentification and TD_AccessControlUniqueUserTracking and TD_AccessControlEmergencyAccessProcedure and TD_AccessControlAutomaticLogoff and TD_AccessControlEncryptionandDecryption and TD_AuditControlsonHardwareandSoftware and TD_AuditControlsProcedures and TD_IntegrityofePHIPolicies and TD_IntegrityofePHIProcedures and TD_PersonorEntityAuthentication and TIP_HIPAATransmissionSecurityProfile

References (12)

TIP HIPAA Transmission Security Profile, v1.0
Description	Profile of HIPAA Transmission Security (per 45 CFR Section 164.312(e)) requirements to guard against unauthorized access to e-PHI.
ID	TIP_HIPAATransmissionSecurityProfile

TD Access Control - Policies and Procedures for e-PHI, v1.0
Description	Specifies that a health care related organization must implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Section 164.308(a)(4).
ID	TD_AccessControlPoliciesandProceduresforePHI
Provider Reference

TD Access Control - Unique User Identification, v1.0
Description	Specifies that a health care related organization must assign a unique name and/or number for identifying user identity.
ID	TD_AccessControlUniqueUserIdentification
Provider Reference

TD Access Control - Unique User Tracking, v1.0
Description	Specifies that a health care related organization must assign a unique name and/or number for tracking user identity.
ID	TD_AccessControlUniqueUserTracking
Provider Reference

TD Access Control - Emergency Access Procedure, v1.0
Description	Specifies that a health care related organization must establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
ID	TD_AccessControlEmergencyAccessProcedure
Provider Reference

TD Access Control - Automatic Logoff, v1.0
Description	Specifies that a health care related organization must implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
ID	TD_AccessControlAutomaticLogoff
Provider Reference

TD Access Control - Encryption and Decryption, v1.0
Description	Specifies that a health care related organization must implement a mechanism to encrypt and decrypt electronic protected health information.
ID	TD_AccessControlEncryptionandDecryption
Provider Reference

TD Audit Controls on Hardware and Software, v1.0
Description	Specifies that a health care related organization must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
ID	TD_AuditControlsonHardwareandSoftware
Provider Reference

TD Audit Controls Procedures, v1.0
Description	Specifies that a health care related organization must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
ID	TD_AuditControlsProcedures
Provider Reference

TD Integrity of e-PHI Policies, v1.0
Description	Specifies that a health care related organization must have policies to protect electronic protected health information from improper alteration or destruction and must have policies for electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
ID	TD_IntegrityofePHIPolicies
Provider Reference

TD Integrity of e-PHI Procedures, v1.0
Description	Specifies that a health care related organization must implement procedures to protect electronic protected health information from improper alteration or destruction and must implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
ID	TD_IntegrityofePHIProcedures
Provider Reference

TD Person or Entity Authentication, v1.0
Description	Specifies that a health care related organization must implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
ID	TD_PersonorEntityAuthentication
Provider Reference

Terms (7)

Term Name	Abbreviations	Definition
Business Associate	BA	Covered entities engage "business associates" to work on their behalf. A business associate is a person (not part of the workforce of the covered entity) or organization that creates, receives, maintains, or transmits protected health information on behalf of the covered entity. Covered entities must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule. A covered entity may be a business associate of another covered entity.
Covered Entity	CE	The Administrative Simplification provisions of HIPAA apply to three types of entities, which are known as "covered entities": 1) health care providers if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard, 2) health plans, and 3) health care clearinghouses. A covered entity may be a business associate of another covered entity.
Disclosure		Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
Electronic Protected Health Information	e-PHI	Electronic protected health information means protected health information (PHI) that is transmitted by electronic means or maintained in electronic media.
Health Insurance Portability and Accountability Act of 1996	HIPAA	The HIPAA law includes Administrative Simplification provisions that require adoption of national standards for electronic health care transactions and code sets, unique health identifiers, and security. Additionally, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
Protected Health Information	PHI	Protected health information (PHI) means "individually identifiable health information" that is transmitted by electronic means or maintained in electronic media or transmitted or maintained in any other form or medium, except it excludes individually identifiable health information: In education records covered by the Family Educational Rights and Privacy Act; In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); In employment records held by a covered entity in its role as employer; Regarding a person who has been deceased for more than 50 years. HIPAA rules protect most PHI held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. PHI is information, including demographic information, which relates to the individual's past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. For example, PHI includes name, address, birth date, Social Security Number, a medical record, laboratory report, or hospital bill. However, reporting or aggregating data that cannot be used to individually identify a person would not be considered PHI.
U.S. Department of Health and Human Services	HHS	The U.S. Department of Health and Human Services' (HHS) mission is to enhance and protect the health and well-being of all Americans by providing for effective health and human services and fostering advances in medicine, public health, and social services.

Also available as XML or JSON