HIPAA Security Rule Compliance for Electronic Medical Records

Jan 13, 2022 by Dominick Pellegrino 0

The Secretary of the U.S. Department of Health and Human Services (HHS) developed regulations protecting the confidentiality of patients and the security of certain health information.1 In order to ensure the compliance of these regulations HHS published The Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA Privacy Rule and the HIPAA Security Rule.1 According to the HIPAA Security Rule physicians must protect patients’ electronically-stored health information (known as “ePHI”) by implementing apposite administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and security of this information (American Medical Association).1, 2 All covered entities, including those utilizing certified electronic health record (EHR) technology must evaluate their security risks.2

HIPAA security rule: A flexible strategy for protecting ePHI

The Security Rule integrates the model of scalability, flexibility, and generalization. The security regulations comprise a 3-tiered system of requirements. At the first tier, all the covered entities are required to meet a series of standards and legal requirements. Second-tier includes implementation specifications (“Required specifications” which are mandatory or ‘Addressable specifications’ which are situation-based) that act as a detailed instruction guide and provide steps to be HIPAA-compliant. Lastly, these specifications are executed. The required documentation must be archived for at least six years (and state requirements may mandate longer maintenance periods).2

Risk Assessment

A risk assessment process includes, but is not limited to, the following actions:

Θ  Evaluate the probability and effect of potential risks to ePHI 3
Θ  Employ suitable security measures to solve the risks identified in the risk analysis 4
Θ  Proper documentation of the preferred security measures with the rationale for
adopting those measures 5
Θ  Sustain constant, rational, and suitable security protections 6

Responsibilities of a Covered Entity to Ensure Protection of ePHI

Θ  Regular reviews of its records to track access to ePHI and detect frequency of security incidents7
Θ  Periodical evaluation of the efficiency of security measures that are being implemented 8
Θ  Regular reassessment of potential risks to ePHI 9

The three layered safeguard approach of HIPAA Security Rule

The administrative, physical, and technical safeguards facilitate in maintaining compliance with the Security Rule and aid in documenting every security compliance measure 2

Administrative safeguards 10

  1. Security Management Process
  2. Security Personnel
  3. Information Access Management
  4. Workforce Training and Management
  5. Evaluation

Physical safeguards11

  1. Facility Access and Control
  2. Workstation and Device Security

Technical safeguards12

  1. Access Control
  2. Audit Controls
  3. Integrity Controls
  4. Transmission Security

GeeseMed: A complete HIPAA-compliant platform

GeeseMed Virtual scribe solutions are HIPAA-compliant which enables to navigate the EMR, update notes, locate labs, order prescriptions, and adjust coding or billing information.

GeesMed HIPAA- compliant virtual scribe functionality

For more information contact: Sales@MDofficeManager.com


1. Public Law 104 – 191 – Health Insurance Portability and Accountability Act of 1996. https://www.govinfo.gov/app/details/PLAW-104publ191 (Accessed on December 26, 2021)
2. HIPAA security rule & risk analysis. https://www.ama-assn.org/practice-management/hipaa/hipaa-securityrule-risk-analysis (Accessed on December 26, 2021)
3. 45 CFR § 164.306 – Security standards: General rules. 45 C.F.R. § 164.306(b)(iv)
4. 45 CFR § 164.308 – Administrative safeguards. 45 C.F.R. § 164.308(a)(1)(ii)(B)
5. 45 C.F.R. § 164.306(d)(3)(ii)(B)(1); 45 C.F.R. § 164.316(b)(1).
6. 45 C.F.R. § 164.306(e).
7. 45 C.F.R. § 164.308(a)(1)(ii)(D)
8. 45 C.F.R. § 164.306(e); 45 C.F.R. § 164.308(a)(8)
9. 45 C.F.R. § 164.306(b)(2)(iv); 45 C.F.R. § 164.306(e)
10. 45 C.F.R. § 164.304
11. 45 C.F.R. § 164.304
12. 5 CFR §164.312

Leave a Reply

Your email address will not be published. Required fields are marked *