Skip Navigation

Security Rule FAQs

Administrative Safeguards
Compliance Evaluation
Computer Network
General Topics
Emergency Situations
Encryption
Enforcement
Physical Safeguards
Risk Analysis & Risk Management
Security Incidents
Small Provider
Technical Safeguards


Administrative Safeguards

What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?

Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of details is required?

Compliance Evaluation

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

How will we know if our organization and our systems are compliant with the Security Rule’s requirements?

Computer Network

Does the Security Rule allow you to network computers? In other words, are covered entities allowed to connect two computer systems, either within the covered entity, or between two covered entities or between a covered entity and its business associate(s) so that they can exchange information directly?

General Topics

Why is the HIPAA Security Rule needed and what is the purpose of the security standards?

Does the Security Rule apply to written and oral communications?

Do the standards of the Security Rule require use of specific technologies?

What is the difference between addressable and required implementation specifications in the Security Rule?

Emergency Situations

Is the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) suspended during a national or public health emergency?

Enforcement

Who enforces the health information privacy and security standards established under the Health Insurance Portability and Accountability Act (HIPAA)?

Encryption

Is the use of encryption mandatory in the Security Rule?

What is encryption?

Physical Safeguards

What does the Security Rule mean by physical safeguards?

Risk Analysis & Risk Management

What is the difference between Risk Analysis and Risk Management in the Security Rule?

What are some examples of threats that covered entities should address when conducting their risk analysis in order to comply with the Security Rule?

Security Incidents

What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?

Small Provider

How can a small provider implement the standards in Security Rule?

Technical Safeguards

Is the use of encryption mandatory in the Security Rule?

Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-PHI)?

Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?

Does the Security Rule require the use of an electronic or digital signature?

Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?

Are covered entities required to use the National Institute of Standards and Technology (NIST) guidance documents referred to in the preamble to the final Security Rule (68 Fed. Reg. 8334 (February 20, 2003))?

Does the Security Rule permit a covered entity to assign the same log-on ID or user ID to multiple employees?

What is encryption?

 

Back to HIPAA - Frequently Asked Questions