Administrative safeguards are designed to manage the selection, development, implementation and maintenance of security measures across a work force. They require a risk-management assessment and mandatory sanctions against employees who do not comply with security rules. Enterprises also are required to identify an official responsible for developing and implementing security policies and procedures. This can be the same person who is responsible for privacy.

All users should have unique identifiers or login IDs to information systems and electronic PHI. This will enable access-control methods consistent with privacy rules. Under HIPAA, privacy rules will be the impetus to implement security standards in 2005.

You should restrict users' access to only that information they have a legitimate need to see. Ideally, the control mechanism should be based on individual users, but the rules also allow implementation features found in directory services, like NDS and Critical Path's Directory Server. They can include context-based and role-based as well as user-based access. For example, a context base could include a practice group, such as internal medicine or the emergency room, while a role base could specify doctor or nurse.

If context- or role-based authentication is used, organizations will have to determine the appropriate contexts or job categories for their size and complexity. Organizations may allow medical staff full access to all patient records, for example, or limit them to only records for patients under their direct care. Access rules also require procedures to obtain patient information in an emergency as well as addressable specifications, including an automatic logon/logoff at workstations after a threshold of inactivity and encrypting user names and passwords.

Organizations must maintain audit trails that log all access to system information. In conjunction with logins, information-system monitors must record and examine activity in systems that contain electronic PHI. All log data should be in a form that can be retrieved and reviewed easily and should include the date and time of the access, as well as the information or record accessed and the user ID under which access occurred. This will most likely involve the aggregation of logs for system access and application access to specific data. In addition, audit logs should be reviewed regularly for discrepancies and in response to requests from individual patients.

Companies must regularly review records of system activity. This includes audit logs, access reports and, where applicable, security incident tracking reports. If you use this information for bed-time reading, you most likely won't get a lot of sleep--this is a lot of data. Again, products that aggregate, search and archive logs from numerous sources can help. If you transfer information via e-mail, an e-mail archiving system will give you a messaging life-cycle solution. But you also must consider the addressable rules for PHI in transit and in storage.

The rules of the road for PHI in electronic media and messages include specifications for encryption and integrity controls. These ensure that PHI is not modified without detection while in transit or storage. Protect sensitive information when transmitting it over external networks, like the Internet, where it can be easily intercepted and viewed by someone other than the intended recipient. To accomplish this, transmit PHI using one of several available encryption schemes. If you cannot meet the requirement, you should transmit electronic PHI only over secure, dedicated lines or limit its transmission to fax or voice telephone.

But security for PHI does not end at the phone jack or the data closet. Organizations must meet certain physical security standards, too, defined as policies and procedures to protect electronic information systems, buildings and equipment from natural and environmental hazards as well as would-be attackers. Computer output devices, such as printers, monitors, fax output trays and even audio if someone were using voice-transcription software, should be placed where they cannot be viewed or accessed by unauthorized users. In addition, procedures should be established for paper output of medical records and any documents that are not incorporated into the patient's record, for example, a prescription or bill. Physical security also includes disaster-recovery plans for backup and recovery strategies and contingency plans to access patient information in an emergency.

In addition to backup and recovery, an entity needs a contingency plan establishing policies and procedures to respond to an emergency, whether natural or man-made, like fire, vandalism or system failure. This requires the entity to enable an emergency mode of operation that continues critical business processes and their security protections following a catastrophe. Although a primary insurer, like Lloyds of London, can protect your investment and even insure you from financial loss due to downtime, it cannot ensure access to records to provide primary health-care or other medical services. The rules require you to test the mechanics of backup, recovery and your emergency mode operations at least once a year.

HIPAA also calls for a security incident and response procedure. Enterprises must identify, respond to and mitigate suspected or known security incidents and must also document security incidents and their outcomes. But these rules fall short of GLBA's requirement to report incidents to a central authority, and HIPAA does not require an entity to notify users when their patient records are accessed without authority.