HIPAA - Transmission Security 164.312(e)(1)

Overview:
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Action Items:
1) Obtain and review policies and procedures related to transmission security controls. Evaluate content relative to the specified criteria to determine that the technical security controls implemented guards against unauthorized access to EPHI transmitted over electronic communication networks. Elements to review may include but are not limited to: Identify the various methods, devices, and networks used to electronically transmit ePHI; The procedures to evaluate and select appropriate technical controls to secure ePHI transmitted across all of its devices and networks; Identify the technical security controls implemented to guard against unauthorized access to ePHI transmitted over electronic communication networks
2) Obtain and review documentation demonstrating the implementation of technical security measures to protect electronic transmissions of EPHI. Evaluate the content in relation to the specified criteria to determine that the implemented technical security measures are sufficient to guard against unauthorized access to the electronically transmitted EPHI.

Related Documents:
1) Policies and procedures related to transmission security controls.
2) Documentation demonstrating the implementation of technical security measures to protect electronic transmissions of ePHI.

Additional Guidance:
In order to determine the technical security measures to implement to comply with this standard, covered entities must review the current methods used to transmit EPHI. For instance, is EPHI transmitted through email, over the Internet, or via some form of private or point-to-point network? Once the methods of transmission are reviewed, the covered entity must identify the available and appropriate means to protect EPHI as it is transmitted, select appropriate solutions, and document its decisions. The Security Rule allows for EPHI to be sent over an electronic open network as long as it is adequately protected.