HIPAA Security Rule

HIPAA is composed of several distinct rules, including the two that are most discussed, the Privacy Rule and the Security Rule. Compliance with the Privacy Rule is not difficult, and you can satsify most of the requirements from documents available right here by buying the Policy and Procedure Manual and downloading the free Notice of Privacy Practices. Compliance with the Privacy Rule requires the following four steps:

Compliance with the Security Rule is more complicated. And, if you are seeking or have obtained "Meaningful Use" funds, it is imperative that you be in compliance with the Security Rule.

The Security Rule encompasses three distinct components:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards

At the heart of compliance with the Security Rule is performing a "risk assessement" of your office, addressing each of the components, and then preparing and maintaining a written Risk Analysis document. Not only is this required for compliance with the Security Rule, but it is also required for Stage 1 of Meaningful Use attestation (some doctors have had Meaningful Use audits, and failure to have this written Risk Assessment can result in having to refund your Meaningful Use payment).

To assist you in understanding the Security Rule, and to aid you in drafting a Risk Assessment for your office, CMS has published several guidance documents. Copies of these three helpful PDF's can be found here:

You may want to start with the last document, the TipSheet produced by CMS. But, I encourage you to print and read each of these, together with your designated Security or Privacy Officer, and use them as a guide to preparing a written Risk Assessment document. Once you have an understanding of what the Risk Assessment is, proceed with your risk assesement by moving through the 3 sections (Administrative, Physical, and Technical safeguards) one at a time, documenting each element, what risk it presents, and what has or will be done to address that risk.


To assist you, this Risk Assessment Tool can be downloaded and used by you and your staff to perform the initial Risk Assessment and as the guide to drafting the final Risk Assessment document.


Special Note regarding Windows XP.

As many know, as of April 9, 2014, Microsoft has stopped all support for Windows XP. They are no longer producing security patches for the operating system. As a result, XP will become increasingly less secure and more vulnerable to attacks over time. This does NOT mean you must immediately replace XP, however. You should document the risk and establish a timetable for addressing it. That may say, over the next 6-9 months you'll upgrade your systems. XP did not go from "safe" on April 8 to "unsafe" on April 9. But, as time goes by, it will become less secure. Thus, while it is not necessary to immediately replace all XP systems, it is necessary to have a plan in place to address this issue.