HIPAA Privacy and Security Rules Audit Checklist

Two rules were published in the Federal Register by the Department of Health and Human Services after HIPAA was passed. The HIPAA Privacy Rule was published in December 2000, and the HIPAA Security Rule was published in February 2003.

The HIPAA Privacy Rule is focused mostly on administrative controls designed to protect patient privacy, such as securing or masking medical charts, locking file cabinets, and establishing privacy policies. The HIPAA Privacy Rule was enforced beginning April 2003.

The HIPAA Security Rule is focused on technical controls such as network perimeter protection encryption and workstation security. The HIPAA Security Rule is broken out into high-level standards and implementation specifications that support each standard. Implementation specifications are either required (mandatory) or addressable (required unless justified otherwise). Table 14-1 that outlines the implementation specifications required by the HIPAA Security Rule. The implementation specifications with (R) next to them are required; those with (A) are addressable. Organizations were given until April 2005 to comply with the HIPAA Security Rule.

Source: IT Auditing: Using Controls to Protect Information Assets by Chris Davis 2007