About the HIPAA Security HyperRule

There are two principal pieces to the Security Rule: the commentary and the the actual rule.

Though Interhack offers a variety of information security services that can help you comply with HIPAA, this guide is not professional advice.

We may have made errors transcribing this document. The authoritative document is published in the U.S. Government's Federal Register, Vol 68, No 34 dated Thursday, February 20, 2003. You can obtain a copy at http://www.access.gpo.gov/ and look for the words "Security Standard".

In its simplest sense, the security rule requires you to do a total of 42 things: 20 to be implemented and another 22 items that you must either implement or address through some other means. Most of these represent:

  1. Basic practices anyone with a computer system should be doing: access policies, contingency plans (backups, recovery), not sharing account information, and physical security.
  2. Personnel issues related to authorization, dismissal, computer usage, and training.
  3. Legal items: dealing with security failures and protecting against business associates' security failures.
  4. Unfortunately, a few items that we as security experts view as really good ideas but are not things most people do: risk analysis, risk management, periodic activity reviews, and evaluations.