The technical safeguards a covered entity implements must only allow access to ePHI by the people or software programs that have been granted access by the covered entity.
Covered entity must be able to identify at all times who had access to ePHI, was it appropriate, and how they prevent and detect unauthorized access.
All users must have a unique identification number or tag to track when they accessed ePHI and the activity they performed on the information
Covered entities need to establish who can access ePHI during an emergency. Can the help desk IT staff get access to ePHI for clinicians in an emergency, or is clearance needed from Sr. IT management?
Can your information system log off users after a predetermined time when no activity is noted? If not, what precautions are taken?
This implementation specification ensures the confidentiality and integrity of ePHI during electronic transmission. Covered entities need to decide how and when to use encryption and decryption.
Covered entities must implement the controls necessary record and monitor information system activities. This includes authorized activities and non-authorized activities. It includes hardware, software, and/or procedural controls. These controls are required.
Covered entities must protect ePHI from improper alteration and destruction.
How do you attest to the validity of the information and what election mechanisms do you have in place to validate the information?
This is a required implementation specification. Can you electronically verify that the person requesting information is who they say they are?
Electronic communication networks must be protected to ensure the confidentiality of all ePHI transmitted.
Covered entities must implement controls to protect against message tampering during communications of ePHI. These controls ensure the message received is the same message that was sent.
Covered entities must implement encryption controls where appropriate to protect ePHI.