HIPAA (SP800-66) Print


Healthcare companies that store, process or transmit Electronic Protected Health Information (EPHI) are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). The HITECH Act extends the scope of privacy and security protections provided by HIPAA, provide enforcement, and broaden the potential legal liability for non-compliance.

Protected Health Information (PHI) maintained or transmitted in electronic media or any other form or media includes name, telephone, fax number, e-mail address, SSN, driver’s licence number, Internet address. HIPAA requirements apply to PHI kept in electronic form known as EPHI (Electronic Protected Health Information). The HIPAA Security Rule covers 36 implementation specifications supported by 18 HIPAA Standards that protect the confidentiality, integrity and availability of individually identifiable health information.

The HIPAA requirements are organized in three security safeguard categories:

  • Administrative Safeguards - consist of formal and documented practices to manage the selection and execution of security controls to protect EPHI covering:

o Security Management Process - 164.308(a)(1)(i)

o Assigned Security Responsibility - 164.308 (a)(2)

o Workforce Security - 164.308 (a)(3)(i)

o Information Access Management - 164.308 (a)(4)(i)

o Security Awareness and Training - 164.308 (a)(5)(i)

o Security Incident Procedures - 164.308 (a)(6)(i)

o Contingency Plan - 164.308 (a)(7)(i)

o Evaluation - 164.308 (a)(8)

o Business Associate Contracts and Other Arrangements - 164.308 (b)(1)

  • Physical Safeguards - consist of formal and documented practices and physical controls to protect a covered entity’s electronic information systems, premises, data center and computer rooms covering:

o Facility Access Controls - 164.310(a)

o Workstation use - 164.310(b)

o Workstation Security - 164.310(c)

o Device and Media Controls - 164.310(d)

  • Technical Safeguards - consist of processes to prevent unauthorized to data that is transmitted over a communications network covering:

o Access Control - 164.312(a)(1)

o Audit Controls - 164.312(b)

o Integrity - 164.312(c)

o Person or Entity Authentication - 164.312(d)

o Transmission Security - 164.312(e)

HIPAA Compliance Program

The HIPAA Compliance Program is designed to answer questions raised by any company that stores, processes or transmits EPHI while evaluating and selecting products to support the HIPAA requirements. This Compliance Program provides validated evidence about a product’s features and capabilities to support the HIPAA requirements.

The HIPAA Compliance Testing and analysis cover several aspects of the product including:

Compliance Effectiveness

  • Product Capabilities Support
  • Scope Impact Analysis and Coverage
  • Management and Usability
  • Suitable for Use in and Recommended Configuration
  • Product Roadmap

HIPAA Compliance Testing criteria

HIPAA Compliance Testing is conducted by trained analysts against the HIPAA Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. HIPAA Compliance Program criteria rely on NIST SP800-66 requirements intent from auditors’ perspective, companies’ needs, and from queries numerous specialists, including affected products vendors, developers, users and industry groups. The compliance analyst will report the results of each phase of testing in the Reports of Compliance, and will also document the product components submitted by the vendor and the configuration of the product evaluated.

Continuous evaluation process

Compliance Labs has developed the compliance continuous testing process as a fundamental aspect of the HIPAA Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and quality over the long term.

Learn more about HIPAA requirements