Some major components of the IT Security requirements of HIPAA and HITECH are as follows:

1. Unique Passwords and Password Encryption
2. Automatic Log out of a user after some period of inactivity
3. Encryption of attached documents
4. Encryption of emails and documents attached to emails.
5. The removal and or encryption of identifiers thereby making the data no longer PHI

All users of PHI computer resources must comply with these security policies and standards. This includes all employees contractors, consultants, and other non-employees that access data or use PHI resources. Violators of this policy will be dealt with in accordance with personnel policies, contractual agreements, and or legal statutes as appropriate.

HITECH Compliance Policy Examples
System (s) Users
User responsibilities include:
(1) Ensure that computer resources and all data available to them are safeguarded from misuse, viruses, theft, and damage.
(2) Users may not allow other persons to access ACME PHI CO. computer systems with their password or account. Users are responsible for activity conducted under their account ID.
(3) Users must report, as soon as possible, any security incidents and violations or suspected violations of this policy to the CTO.
(4) Remote access, user passwords and user IDs are considered sensitive information and will be protected as such. Users will employ the same procedures and caution as is they do with ACME PHI CO. confidential information when dealing with these types of information.
(5) Adhering to all software copyright laws.
(6) Use of unauthorized or unlicensed software is strictly prohibited.
(7) Users will not use their accounts or ACME PHI CO. computer resources for personal gain, to in anyway harass an individual, or to create or disseminate obscene/pornographic material.

E-mail Usage
The e-mail systems provided by ACME PHI CO. are owned by ACME PHI CO. and are provided for conducting official business. All data on these systems, including e-mail, are the property of ACME PHI CO.. ACME PHI CO. employees should not have an expectation that e-mail is private. Contents can be monitored, and review of employee e-mail may occur when a business situation so warrants. In such cases, an employee’s e-mail will be reviewed if specifically authorized ACME PHI CO. Manager or above, the CTO, or law enforcement representative duly authorized by the court. Except for on-site consultants, e-mail is generally NOT provided to non-ACME PHI CO. employed system users.
In its basic form, e-mail is an inherently insecure method of information exchange. Most mail systems send messages in clear text. Users are required to take “reasonable” efforts to protect the security and integrity of patient confidential information. PHI should never be included in an email message. If mail-delivery or faxing the information will not meet the business need then the process to be used should be approved by the CTO.
Occasional personal use of the ACME PHI CO. e-mail system is permitted. Users should limit the personal use of ACME PHI CO. e-mail just as they do telephone services. Excessive or inappropriate personal use could result in the loss of e-mail privileges and/or an administrative personnel action.

All e-mail originating from ACME PHI CO. systems is considered official ACME PHI CO. correspondence. All email addressed to users outside of the ACME PHI CO. email domain (ACME PHI CO.mange.com) will contain the following notice:
(1) Confidentiality Notice: This message and any attachments may contain information that is confidential, privileged and/or protected from disclosure under state and federal laws that deal with the privacy and security of medical information. If you received this message in error or through inappropriate means, please reply to this message to notify the Sender that the message was received by you in error, and then permanently delete this message from all storage media, without forwarding or retaining a copy.
Inappropriate E-mail Activities
Inappropriate activities include but are not limited to:
(1) Users may not include inappropriate materials in their messages. Examples of inappropriate materials include, but are not limited to, derogatory or defamatory language, profanity, pornography, or racial or ethnic slurs.
(2) Use of e-mail to harass others is illegal.
(3) Use of ACME PHI CO. e-mail for personal profit is not permitted.

(4) Distribution of electronic chain mail is prohibited. Chain mail puts undue stress on ACME PHI CO. systems and may often include detrimental or inappropriate content such as (but not limited to):

Contagious e-mail viruses. Hoaxes about missing children, viruses, urban legends, money, etc…
Political, sexual, religious content, which may be offensive to co-workers.

Note: Chain mail usually includes verbiage such as “forward this to everyone you know” or “forward this to 9 people in the next 5 minutes and you will have good luck all day”. Please delete any chain mail you receive or contact IS Security at XXX-XXX-XXXX for guidance.

(5) Game playing, distributing games, or gambling.
(6) Conducting any activity that interferes with or detracts from the user’s or other’s work duties.
(7) Conducting any activity that may reflect poorly on the user or ACME PHI CO..
(8) Advocating personal religious or political views and opinions.
(9) Forging or attempting to forge e-mail.

Instant Messaging
Instant Messaging services are not allowed at ACME PHI CO. except in special cases. Requests for IM services must be in writing and approved by the CTO.

Remote Access
Remote access capability is provided to ACME PHI CO. computer users on an as-needed basis. The system user must have their manager/supervisor’s approval to request remote access. The only remote access allowed is through the secured ACME PHI CO. servers provided for this purpose. Identification and authentication of users connecting to ACME PHI CO. is through the user’s ACME PHI CO. user ID and password.
(1) Remote Access Locations – Remote access users may only connect from approved locations. Currently approved remote locations are limited to a users personal residence. All other locations require prior authorization.
(2) User’s responsibilities – While working off-site, users must remember that ACME PHI CO. confidential information must be given the same attention to security as when working on it at ACME PHI CO. location. Confidential and sensitive information should not be stored on your home computer’s hard-drive (unless it is encrypted) even if it is a ACME PHI CO. provided computer. Nor should any laptop computer or computer media (CD-ROMS, diskettes, tapes, etc.) containing confidential or sensitive information be left unsecured when working off-site. In general such information will not be stored at personnel residence beyond the period of time that it is being used.
(3) Off-site protection of data – Storage media containing patient data or other sensitive information should be labeled as such, and at a minimum stored in a locked desk drawer or cabinet. The key or combination must be strictly controlled from unauthorized access. Any printed materials (hard copies) containing confidential or sensitive information will, at a minimum, also be stored as above.
(3) While traveling it is imperative that ACME PHI CO. employees protect any equipment and media in their possession. For example, when staying at a hotel while carrying a laptop, the laptop may not be left in the hotel unless locked in a safe in the room or in the hotel’s main safe. Always obtain a receipt when leaving a laptop with hotel personnel for security purposes. Note: You must get prior approval from ACME PHI CO. before utilizing a remote connection to ACME PHI CO. from any unapproved location.
(4) All ACME PHI CO. information processed off-site is the property of ACME PHI CO. and must be returned immediately upon request of ACME PHI CO..
(5) ACME PHI CO. employees will ensure that adequate measures are in place to protect equipment and information from theft, abuse, unauthorized use, and unauthorized disclosure.

What is AES?
Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.

History of AES:
Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES).

Virtual Disk and Volume Encryption
When virtual disk encryption is employed, the contents of containers are protected until the user is authenticated for the containers. If single sign-on is being used for authentication to the solution, this usually means that the containers are protected until the user logs onto the device. If single sign-on is not being used, then protection is typically provided until the user explicitly authenticates to a container. Virtual disk encryption does not provide any protection for data outside the container, including swap and hibernation files that could contain the contents of unencrypted files that were being held in memory. Volume encryption provides the same protection as virtual disk encryption, but for a volume instead of a container.

File/Folder Encryption.
File/folder encryption protects the contents of encrypted files (including files in encrypted folders) until the user is authenticated for the files or folders. If single sign-on is being used, this usually means that the files are only protected until the user logs onto the device. If single sign-on is not being used, then protection is typically provided until the user explicitly authenticates to a file or folder. File/folder encryption does not provide any protection for data outside the protected files or folders, including swap and hibernation files that could contain the contents of unencrypted files that were being held in memory. File/folder encryption software also cannot protect the confidentiality of filenames and other file metadata, which itself could provide valuable information to attackers (for examples, files that are named by Social Security number).

Encryption for purposes of HIPAA is simply to the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such process or key has not been breached. The guidance identifies two encryption processes recognized by the National Institute of Standards and Technology (NIST) as rendering protected health information unusable, unreadable or indecipherable. For data at rest, the acceptable processes are those that are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Valid encryption processes for data in motion are those that comply with Federal Information Processing Standards 140-2.


Covered entities and business associates must remember that rendering PHI unusable, unreadable or indecipherable to unauthorized individuals as defined in the guidance is not a substitute for compliance with HIPAA’s privacy and security regulations or other federal or state health information privacy and security laws.

It is important for everyone, especially senior managers, to understand that HIPAA is a
regulatory compliance project rather than simply an IT initiative. Treating it as a compliance issue is much more likely to lead to the appropriate organization, attention level, and allocation of resources. Resources need to be in the budget cycle for the upcoming fiscal year in order to meet the aggressive timeline.

Standardize your Approach:
Many of the security and privacy requirements can best be met by creating guidelines, principles, templates, and checklists that are then used consistently in each domain (e.g., system, department, division); This will save staff time by creating an efficient, consistent approach. Consistency will make the system more understandable to those who work across various domains and will make the approach more defensible to those with oversight roles (e.g., risk managers, external auditors, JCAHO).

Success Requires Cultural Change:
To run a successful HIPAA-compliant operation, most organizations will have to go through a cultural change in how they manage privacy and security until the new methods become systematic and reflexive. Responses that are not common now will need to become so for a large percentage of the workforce. Many of the HIPAA requirements point up the need for this kind of “new common sense.” Widespread cultural change requires commitment and leadership across an organization.

Many Flash Drive manufactures are now selling compliant devices.  Most secure USB flash drives use some form of the Advanced Encryption Standard (AES) encryption, either 128-bit or 256-bit.  These levels are approved by the U.S. government for encrypting secret-level and top-secret-level documents and are HIPAA Compliant.  AES Security depends largely on the length and complexity of the password.  Most experts say a complex 16 to 20 character  password is required.