Your 3-step checklist to the HIPAA Security Rule

In the first six months of 2016, roughly 175 million people were affected by HITECH breaches.

Should this statistic frighten you? Of course it should.

You see, it’s ultimately your company’s responsibility to adhere to all HIPAA standards and regulations — including its extension, HITECH. When a breach occurs within your business (or if you simply fail to uphold the appropriate standards), the negative consequences to your business (and potentially all parties associated with your business) are seemingly never-ending.

The fines alone are enough to destroy any business.

This being said, it’s more important than ever to do your research, partner with the right people, and fully understand the ins and outs of HIPAA regulations as they apply to your business — if not to protect the future of your business, then to protect the future of your employees and the clients you serve.

When it comes to HIPAA, in particular, there are four rules you need to consider: the Privacy Rule, the Security Rule, the Enforcement Rule, and the Breach Notification Rule. Today, we’re going to cover the Security Rule.

But before we get started, it’s important to note that this is merely an overview. It is not meant to replace a HIPAA partner, and it’s not meant to serve as a “complete” guide to all things HIPAA — or even to this particular rule. It’s merely an overview checklist to ensure you’ve covered (or are in the process of covering) all the facets involved with The Security Rule.

The Security Rule is composed of three main categories: administrative, technical, and physical. Here’s what you need to know about each one to stay in step with the standard.


  • If you don’t train your employees on HIPAA and how to successfully work inside HIPAA, then your business stands no chance of avoiding government fines and scrutiny. You must actively train all employees of your business who work with protected health information (PHI). This training should be ongoing, and it needs to cover things like policies, procedures, and even what happens if a violation occurs.
  • This next step is twofold. First, you need to develop security processes that pinpoint specific vulnerabilities and risks to PHI. Second, you need a designated security official who is actually responsible for developing and implementing those security processes.


  • When it comes to PHI, the best thing you can do is limit the number of people who have access to it. In other words, just because someone works at your business does not mean that person needs access to all sensitive data. Only grant people access to PHI when that access is appropriate and required.
  • For those who do have access to PHI, there must be proper procedures put in place to control this access. For example, a Unique User Identification would be used to track access, and Automatic Logoff would be applied to automatically end electronic sessions after a period of no activity. These procedures are merely safeguards put in place to secure PHI.  


  • You must establish and carry out routine assessments of the policies and procedures established to protect PHI. These evaluations will help you determine whether or not your safeguards are actually doing what they are intended to do.



  • This piece addresses the Access section covered by the Administrative step. Who can access PHI and what prevents others from accessing that very same data? Technical controls should be implemented that grant access for certain individuals, while simultaneously preventing access for others.  


  • Again, this piece also ties in nicely with the Administrative step from before. How are you tracking user activity and what technical controls are set in place to help you track (and examine) this user activity? You must have some combination of hardware, software, and manual processes dedicated to the examination of all user activity related to PHI.


  • When considering PHI, this data is some of the most sensitive data that can be created. If it is wrongfully altered or improperly destroyed, the consequences can be far-reaching. This being said, there must be technical controls set in place that prevent PHI from being mishandled.


  • PHI doesn’t always remain in one place forever. It’s electronically shared in other places, and it’s sometimes packaged into a device and physically delivered to another place. Because of this, it’s important to have technical controls established that secure how this data is transmitted from one place to another. This expands to cover everything from email and encryption to wireless networks and removable devices.

Facility Access

  • Just as you would limit access to the PHI itself, you also need to limit access to the building that maintains that PHI. This means you need to ask yourself: who has access to specific parts of your physical business and why is this access necessary? This extends beyond employees to cover vendors, partners and clients, as well. You need to carefully consider the many parts of your business to determine and manage who has access to what and why.  

Device Access

  • This “physical access” also includes the many devices your business uses — from desktop computers and servers to miniature USB drives. How are all of these devices secured, what is allowed on these devices, and who is allowed to use these devices? On top of this, you also need to consider where these devices are allowed to be moved, how they are to be disposed of, and if they’re allowed to be transferred from one person to another.


Remember, the Security Rule is just one of four rules included in the standard. And these rules are merely a small piece of the HIPAA pie. In order to successfully uphold HIPAA regulations, it’s important to find the right partner, and we’d like to be that partner.

Give us a call or send us a message to learn more about our professional HIPAA services for small businesses in Colorado.