HIPAA Controls




Everyone complains that the HIPAA Security Rule is inconvenient—which it is—but it doesn’t mean you can break the security rules in your medical office any more than you can break security rules at airports, government buildings, and sporting events. Here are a few examples of the HIPAA Security Rule Required and Addressable controls that we see medical practices ignoring on a regular basis.

Required Or Addressable Specifications

The HIPAA Security Rule’s Implementation Specifications are identified as being Required or Addressable. Addressable specifications are sometimes confused as being Optional, which is not true.


Creating Alternatives To Specifications

The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

Required HIPAA Controls

These HIPAA controls are firm. The government does not allow any way to avoid them.


Required HIPAA Risk Analysis

The very first requirement in the HIPAA Security Rule. HIPAA doesn’t say much but the Office for Civil Rights (OCR) offers guidance for smaller practices and the National Institute of Standards and Technology (NIST) has a free 95-page guide.

Beware… the Meaningful Use Office of the National Coordinator (ONC) says, “It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

Most HIPAA fines are based on a missing, old, or incomplete Risk Analysis. If you want to pass an audit think twice about doing this yourself.


Required HIPAA Risk Management

Many practices stop at the Risk Analysis and put it on the shelf in case of an audit. The HIPAA Security Rule requires you to document the actions you are going to take to reduce your risks or deal with them.


Required Healthcare Data Disaster Plan

“Establish (and implement as needed) procedures to restore any loss of data.” Think less than more. While common sense says every medical organization and business should have a plan to survive a disaster, the HIPAA Security Rule only cares about access to patient data. Document how you will recover access to your data and you will comply with the HIPAA Security Rule. Document how you will communicate with your staff, work from an alternate site, and operate after a disaster, and your organization will survive. It is important to have a back up plan for both on and off premise.


Required Business Associate Agreements

The HIPAA Security Rule in 2005 did not give the HIPAA enforcers power to penalize Business Associates for breaches. This all changed with the HIPAA Omnibus Final Rule in 2013. Business Associate Agreements with new wording are required. Covered Entities are liable for the compliance of their Business Associates, and their Business Associates’ subcontractors. Don’t stop with the paperwork. Since you are liable, you should validate that your vendors and their vendors comply with HIPAA.


Required Audit Controls

While everyone thinks their patient data is housed exclusively in their EHR system, it is all over the place—server folders, laptops, desktop computer hard drives, portable drives, and smartphones. The HIPAA Security Rule requires that access logs be created and stored for six years. To do this your network must be a Domain, not a Workgroup.

Addressable, Not Optional, HIPAA Controls

If you don’t think these are reasonable for your organization, you must identify a suitable alternative and document the reasons for your decision. Ignoring Addressable controls is a HIPAA Security Rule violation and is likely to cause a reportable data breach.


Addressable HIPAA Data Encryption

Encryption = No Data Breach. With all the reported data breaches why this isn’t Required by the HIPAA Security Rule is beyond me. Encrypting data is not expensive and a device with encrypted data that is lost or stolen is not reportable. Recently Advocate Health Care in Chicago had four computers stolen and breached 4 million records. An Omnicell technician had his laptop stolen and breached 68,000 records. Would you rather pay millions of dollars to notify patients and pay fines or a lot less to encrypt your devices? Don’t stop at laptops—encrypt everything from thumb drives to servers.


Required Unique User Identification

No shared logins and passwords are allowed by the HIPAA Security Rule — none. All systems that provide access to electronic Protected Health Information (ePHI) must be able to track users and what files they create, access, and modify. This includes IT staff and outsourced IT providers that access systems housing patient information.


Addressable Automatic Logoff/Lockout

“This is so inconvenient!”

“It slows our doctors down!”

“It’s such a pain to keep logging in!”

Document Your Decision

If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision.

IT Managed Servicesat Treasure Valley IT.

Bottom Line With HIPAA Security

Our advice is to consider all HIPAA Security Rule Implementation Specifications Required. You will be compliant, more secure, and reduce the risk of a reportable data breach, millions of dollars in costs, and tons of grief.


TVIT Provides years of IT Management experience for countless customers


Learn about what we do, and how we do it to benefit you.



    Take the hassle out of your technology with Boise’s premier IT service. Whether you’ve got a single workstation or a large network, our specialists will take care of your technology. Get the most out of your IT investment and enjoy peace of mind today. All work is 100% guaranteed. Thousands of people trust TVIT to be their managed IT Systems provider.


    9019 Barnes Drive

    Boise, Idaho 83709

    (208) 367-1000