SECURITY

Security standards for all patient-specific information that is or has been electronically stored and/or transmitted can be grouped into four categories:

Administrative procedure safeguards – comprehensive security policies and procedures

Physical safeguards – data integrity, backup, access, workstation location and security training

Technical security mechanisms – security measures to guard against unauthorized access to data

Technical security services – measures to protect patient information and control individual access to such information

The standards establish a minimum threshold for compliance in each of the four categories.

However, the security standards do not specify particular technology requirements – each organization must assess its own "risk" and develop security measures accordingly.

Organizations must certify their security programs (either through a self-certification or by a private accreditation entity or vendor). The certification process has not yet been specifically defined.