Interhack Home
Navigation

Publications
INFOSEC: Friend or Foe?
Identity Theft: What If We Didn't Dodge a Bullet?
Electronic Evidence in Criminal Defense
Anatomy of Online Fraud
Security: Built-in or Bolt-on?
Spying on Spyware
Cryptography in Practice
HIPAA Security HyperRule
About the HyperRule
Complete Rule
- HHS Commentary
- General Requirements
- Administrative Requirements
- Security Requirements
- Implementation Matrix
 Publications

About the HIPAA Security HyperRule

There are two principal pieces to the Security Rule: the commentary and the the actual rule.

Though Interhack offers a variety of information security services that can help you comply with HIPAA, this guide is not professional advice.

We may have made errors transcribing this document. The authoritative document is published in the U.S. Government's Federal Register, Vol 68, No 34 dated Thursday, February 20, 2003. You can obtain a copy at http://www.access.gpo.gov/ and look for the words "Security Standard".

In its simplest sense, the security rule requires you to do a total of 42 things: 20 to be implemented and another 22 items that you must either implement or address through some other means. Most of these represent:

  1. Basic practices anyone with a computer system should be doing: access policies, contingency plans (backups, recovery), not sharing account information, and physical security.
  2. Personnel issues related to authorization, dismissal, computer usage, and training.
  3. Legal items: dealing with security failures and protecting against business associates' security failures.
  4. Unfortunately, a few items that we as security experts view as really good ideas but are not things most people do: risk analysis, risk management, periodic activity reviews, and evaluations.

 
Contact Privacy Policy (c) 2001-2008 Interhack