Skip to main content

HIPAA

logo

Summary

The Health Insurance Portability and Accountability Act of 1996 required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. The version used in this section is the HIPAA Rules 2013 update.

Definitions

DefinitionRequirements
164_308_a_1_ii_D. Information system activity review (required)084. Allow transaction history queries
085. Allow session history queries
164_308_a_3_i. Standard: workforce security095. Define users with privileges
164_308_a_3_ii_A. Authorization or supervision (addressable)034. Manage user accounts
164_310_a_2_iii. Access control and validation procedures (addressable)095. Define users with privileges
114. Deny access with inactive credentials
229. Request access credentials
231. Implement a biometric verification component
164_310_d_2_i. Disposal (required)214. Allow data destruction
164_312_a_1. Standard: access control096. Set user's required privileges
229. Request access credentials
164_312_a_2_i. Unique user identification (required)143. Unique access credentials
164_312_a_2_iii. Automatic logoff (addressable)023. Terminate inactive user sessions
164_312_a_2_iv. Encryption and decryption (addressable)147. Use pre-existent mechanisms
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
370. Use OAEP padding with RSA
371. Use GCM Padding with AES
372. Proper Use of Initialization Vector (IV)
164_312_b. Standard: audit controls075. Record exceptional events in logs
164_312_d. Standard: person or entity authentication096. Set user's required privileges
229. Request access credentials
231. Implement a biometric verification component
164_312_e_1. Standard: transmission security255. Allow access only to the necessary ports
257. Access based on user credentials
164_312_e_2_i. Integrity controls (addressable)214. Allow data destruction