<Li> Policies are required to address proper workstation use . Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public . </Li> <Li> If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities . </Li> <Li> Technical Safeguards--controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient . <Ul> <Li> Information systems housing PHI must be protected from intrusion . When information flows over open networks, some form of encryption must be utilized . If closed systems / networks are utilized, existing access controls are considered sufficient and encryption is optional . </Li> <Li> Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner . </Li> <Li> Data corroboration, including the use of check sum, double - keying, message authentication, and digital signature may be used to ensure data integrity . </Li> <Li> Covered entities must also authenticate entities with which they communicate . Authentication consists of corroborating that an entity is who it claims to be . Examples of corroboration include: password systems, two or three - way handshakes, telephone callback, and token systems . </Li> <Li> Covered entities must make documentation of their HIPAA practices available to the government to determine compliance . </Li> <Li> In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing . </Li> <Li> Documented risk analysis and risk management programs are required . Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act . (The requirement of risk analysis and risk management implies that the act's security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes .) </Li> </Ul> </Li> <Ul> <Li> Information systems housing PHI must be protected from intrusion . When information flows over open networks, some form of encryption must be utilized . If closed systems / networks are utilized, existing access controls are considered sufficient and encryption is optional . </Li> <Li> Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner . </Li> <Li> Data corroboration, including the use of check sum, double - keying, message authentication, and digital signature may be used to ensure data integrity . </Li> <Li> Covered entities must also authenticate entities with which they communicate . Authentication consists of corroborating that an entity is who it claims to be . Examples of corroboration include: password systems, two or three - way handshakes, telephone callback, and token systems . </Li> <Li> Covered entities must make documentation of their HIPAA practices available to the government to determine compliance . </Li> <Li> In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing . </Li> <Li> Documented risk analysis and risk management programs are required . Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act . (The requirement of risk analysis and risk management implies that the act's security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes .) </Li> </Ul>

The 2004 health information and portability and accountability act (hipaa)