To address the Security Management standard in the HIPAA Security Rule.
The Security Management standard requires that the Company implement policies and procedures to prevent, detect, contain, and correct security violations and related law. There are four implementation specifications in the security management process standard, all of which Company is required to implement: (i) risk analysis; (ii) risk management; (iii) sanction policy; and (iv) information system activity review.
The Company will implement a security management process, as further detailed below, as needed, depending on the circumstances and the environment, unless risks require immediate attention (for example, in case of a computer virus, patches should be applied immediately).
The Company will conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. In general, a risk analysis can be viewed as: the process of identifying potential security risks, and determining the probability of occurrence and magnitude of risks.
Risk management is the process used to identify and implement security measures sufficient to reduce risk to a reasonable and appropriate level within the entity based on the entity’s circumstances. Company will implement security measures sufficient to reduce risks and vulnerabilities with respect to ePHI to a reasonable and appropriate level.
The Company will: (1) comply with federal and state law with respect to breach notification, and (2) apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of a covered entity. Good faith reporting is not subject to sanctions, and the Company will not sanction a workforce member who, in good faith: (i) properly files a complaint; or (ii) opposes any unlawful act or practice, so long as the manner of opposition is reasonable and does not involve a disclosure of PHI.
The Company will implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports, to ensure that controls continue to be effective. The information system activity review enables the Company to determine if any ePHI is used or disclosed in an inappropriate manner.
The Security Official will ensure that information technology (IT) solutions are appropriate to the environment, including the sensitivity of the data, the Company’s overall security policies, procedures and standards, and other requirements (such as resources available for operation, maintenance, and training, such that the Company can: (i) ensure the confidentiality, integrity, and availability of all ePHI that Company creates, receives, maintains, or transmits; (ii) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (iii) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA Privacy Rule; and (iv) ensure compliance with the HIPAA Security Rule by the Company’s workforce.
Workforce members and contractors are responsible for protecting electronic protected health information (“ePHI”) with their control from unauthorized access, modification, destruction, and disclosure, and are expected to comply with these policies and procedures. Those who have access to ePHI are expected to:
Use the Company’s data processing resources that contain ePHI only for appropriate purposes and consistent with their approved level of access and authorization.
Be aware of and use the Company’s security controls.
Comply with the Company’s security policies, procedures, and standards.
Immediately report any security violation to his/her supervisor and the Security Official.
Attend appropriate organizational security training and awareness programs.
The Security Official will complete a Risk Analysis as soon as possible, and thereafter at least annually. The Risk Analysis will include at least the following steps.
Identify compliance measures. The Security Official will conduct an inventory of ePHI systems and the security measures in place to protect those systems.
Map flow of ePHI within Company. This will include ePHI in all its forms, such as portable devices (e.g., computer laptops, PDAs, iPads, smartphones, and other portable electronic devices); external sources of ePHI (such as vendors or consultants that create, receive, maintain or transmit ePHI); or software programs and cloud storage.
Identify security threats. A threat is defined as a source, such as an employee, an invasion, or a natural disaster, that exploits a particular vulnerability and therefore results in risk. Threats to ePHI can include natural (e.g., floods, earthquakes, fires); human, unintentional (such as incorrect data entry) or intentional (such as theft or malicious software); or environmental (such as power failures, hazardous material spills, and depending on location, tornadoes and flooding). Identification of threats may require meetings or interviewing staff.
Identify potential vulnerabilities; likelihood of the risk; and impact of threats. Vulnerabilities are flaws or weaknesses in system security procedures, designs, and implementation or internal controls that could result in a security breach or a violation of the system’s security policy. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: (i) holes, flaws, or weaknesses in the development of information systems; and (ii) incorrectly implemented and/or configured information systems. The assessments should identify current controls and system vulnerabilities to threats. An example of a technical vulnerability is the lack of anti- virus software.
The Security Official will classify risk likelihood as low, medium, or high, depending on: (1) motivation for the threat, and capability; (2) type of vulnerability; (3) existence and effectiveness of security controls. The Security Official will also classify the impact of threats as low, medium, or high. Through this classification, the Security Official will determine the overall risk to ePHI, and what corrective action should be taken for in light of overall risk.
Identify security measures and finalize documentation. Security Official will identify security measures that can be used to reduce risk to a reasonable and appropriate level. Any potential security measures that can be used to reduce risks to ePHI should be included in documentation.
Periodic review: The Security Official will review and update documented risk analysis, and maintain this analysis in a secure fashion.
Company’s Security Official will manage risk, including through the following:
Develop and implement a risk management plan. Key members of the Company’s workforce, including senior management and other key decision makers, need to be involved in this process. The risk prioritization and mitigation decisions will be determined by answering questions such as: (i) should certain risks be addressed immediately or in the future; and (ii) which security measures should be implemented?
An important component of the risk management plan is the plan for implementation of the selected security measures. The implementation component of the plan should address: (i) risks (threat and vulnerability combinations) being addressed; (ii) security measures selected to reduce the risks; and (iii) implementation project priorities, such as required resources, assigned responsibilities, start and completion dates, and maintenance requirements. In deciding which security measures to use, the Company will take into account the following factors: (i) the size, complexity, and capabilities of the Company; (ii) the Company’s technical infrastructure, hardware, and software security capabilities; (iii) the costs of security measures; and (iv) the probability and criticality of potential risks to ePHI.
Implement security measures. Once the risk management plan is developed, the Company’s Security Official must begin implementation of security measures (both technical and non-technical) within Company. The projects or activities to implement security measures should be performed in a manner similar to the Company’s other projects (i.e., these projects or activities should each have an identified scope, timeline, and budget).
Evaluate and maintain security measures. The Company’s Security Official will continue evaluating and monitoring the risk mitigation measures implemented, as needed to continue provision of reasonable and appropriate protection of ePHI. The Company’s Security Official is responsible on an ongoing basis for: (i) testing and validating security measures; (ii) identifying residual risk and ways to reduce it (or accept it); (iii) setting a time for future review of existing security measures and their effectiveness; (iv) documenting risk management efforts; and (v) reporting the results to the Company’s executive leadership. Company’s Security Official also will perform a risk analysis and risk management process in response to environmental or operational changes within the Company that affect the security of ePHI (e.g., new business operations or technologies are planned, or a security incident occurred).
Security Official will determine whether there has been a breach. If a person believes or suspects that there has been a violation of HIPAA or state law, or of the Company’s policies or procedures, or that a vendor, workforce member, business associate or anyone else has improperly used, accessed or disclosed PHI, or believes, suspects or knows that there has been an unauthorized acquisition, use, viewing, or disclosure of data that compromises the security, confidentially or integrity of PHI, that person must provide immediate notice to the Security Official.
All alleged violations, or reports of violations, of the policies and specifications, and the procedures established thereunder, will be investigated and, where appropriate, steps will be taken to remedy the situation.
The Security Official and legal counsel as appropriate, will conduct a prompt, timely, thorough and confidential investigation of allegations of known or suspected violations and breaches, to determine whether notice should be sent to the patient and /or the federal Department of Health and Human Services or the appropriate State office of and if so, what information is needed for effective, meaningful notification.
When the investigation has been completed and an action plan formulated, the Security Official will notify the complainant of the results of the investigation and any corrective action taken. All required notifications will be made without unreasonable delay and in no case later than 10 calendar days after discovery of the breach,
which means the day the breach first was or reasonably should have been known by Company, or as otherwise provided by more stringent state law.
Notice will comply with the legal requirements in 42 USC 17932 and any additional, updated regulations including those in 45 CFR 164.04 (notice to individuals), 164.06 (breaches involving more than 500 residents of a State or jurisdiction), 164.408 (notice to Secretary of HHS, for breaches involving 500 or more individuals and less than 500 individuals, respectively), and 164.10 (notification by business associates and subcontractors). Notice will comply with specific rules governing timeliness, content, and methods of notification, and, may be subject to law enforcement delay per 45 CFR 164.412. If the Company is a Business Associate, then, pursuant to 45 CFR 164.410, Business Associate shall, following the discovery of a breach of unsecured protected health information, notify the Covered Entity of such breach, and the timeliness and content of such notification shall comply with 45 CFR 164.410. Notice will also comply with all applicable state law requirements. Management will verify that individuals were notified within 60 days or the applicable state law requirement.
The Company will apply appropriate sanctions against the Company’s workforce members who fail to comply with the Company’s security policies and procedures. The Company workforce members found to have violated any such policies and policies will be disciplined in accordance with the Company’s human resources policies, up to and including termination of employment or other arrangement. The type of sanction will depend on the severity of the violation, including whether the violation was inadvertent, careless, intentional, malicious, etc. Sanctions become more severe for repeated infractions of the Company’s security policies and procedures. The Company may terminate the workforce member for the first violation of the Company’s security policies and procedures if the seriousness of the violation warrants such action. For less serious offenses, the Company may impose a lesser sanction, such as an oral warning, written warning, loss of access, suspension without pay, or demotion.
Good faith reporting is not subject to sanctions, and the Company will not sanction a workforce member for making disclosures in accordance with whistle-blower requirements under HIPAA; for properly filing a complaint; or for exercising other rights under HIPAA with respect to allegedly unlawful activity by the Company.
The Company will not retaliate against any person who files a complaint or reports a HIPAA violation. The Company will communicate this policy to the workforce and to patients. Any attempt to retaliate against a person for reporting a violation will itself be considered a violation of the policies and specifications and the procedures established thereunder, and may result in disciplinary action up to and including the termination of employment or contract. In no event will a workforce member be subject to sanctions by the Company for making disclosures as a crime victim, provided such disclosures are limited in accordance with law. The Company will create criteria to determine whether disclosure of PHI is due to whistleblowers or victims of a crime.
The Company will enforce sanctions for violations of federal and state privacy and security rules, such as violations including:
Failure to lock up protected health information (PHI) or follow other safeguard provisions
Inadvertently throwing papers containing PHI in regular garbage rather than shred
Looking up a neighbor’s address in database to send a birthday card
Telling friends about your irritating neighbor’s last operation or that he/she has HIV
Selling PHI for marketing purposes
The Security Official will utilize audit logs, access reports, and security incident reports, and will generate monthly reports of information system auditable events, such as: (i) failed authentication attempts; (ii) access of particularly designated ePHI; (iii) use of system administrator account; and (iv) security incidents.
The Security Official will immediately take action to investigate and, as necessary, resolve any abnormalities noted in such reviews, and report the results to executive leadership on at least a quarterly basis. The Company is expected to implement new practices as necessary to continually update and upgrade its Security Rule compliance.
To comply with HIPAA, by designating an individual who is in charge of developing, reviewing, implementing and updating the information security requirements for PHI under state and federal law.
The Company will “identify the security official who is responsible for the development and implementation of the policies and procedures” to protect PHI in accordance with federal and state law.
The Security Official is responsible for establishing and implementing information security policies and procedures to comply with HIPAA and applicable state law and amending them as necessary to comply with changes in the law and undertake such functions as are set forth in the job description below. The Security Official also is primarily responsible for all ongoing activities related to the availability, integrity and confidentiality of client, provider, employee, and business information in compliance with the Company’s security policies and procedures, HIPAA law and regulations and state law.
Responsibilities include:
Confirms that the Company is compliant with applicable federal, state, and local laws pertaining to the security of ePHI.
Confirms that ePHI is reasonably and appropriately protected and have reasonable and appropriate safeguards.
Develops, in association with the Company’s Privacy Official, security policies and procedures, and appropriate training.
Oversees implementation of an effective risk management program.
Coordinates the information security compliance activities.
Monitors compliance with the Company’s security policies and procedures among employees, contractors, business associates and other third parties and takes corrective action as necessary; manages information security incident response.
Monitors internal control systems to ensure that appropriate information access levels and security clearances are maintained.
Performs information security risk analysis and periodic information system activity reviews for information security processes.
Coordinates the development of the Company’s disaster recovery and business continuity plans for information systems, and tests readiness.
Serves as an internal information security consultant to the Company.
Monitors advancements in information security technologies.
Monitors changes in legislation and accreditation standards that affect information security.
Initiates, facilitates, and promotes activities to foster information security awareness within the Company.
Confirms that adequate physical security controls exist to protect ePHI.
Creates reports, as necessary, to inform Company management.
Although one individual must be designated as having overall responsibility for the aforementioned duties, other individuals at the Company may be assigned specific security responsibilities (e.g., facility security or network security) to other employees of the Company.
The Company’s CEO will designate in writing the Company’s Security Official, and may change such designation in the discretion of the Company’s CEO.
To comply with HIPAA Security Rule requirements concerning workforce security. The Company must implement policies and procedures to ensure that all members of its workforce (employees and contractors) have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information. The Company must provide only the minimum necessary access to ePHI that is required for a workforce member to do his or her job.
The Company’s workforce members that need access to ePHI to carry out their duties must be identified. For each workforce member, or job function, the Company needs to identify the ePHI that is needed, when it is needed, and make reasonable efforts to control access to the ePHI. This will also include identification of the computer systems and applications that provide access to the ePHI. The Company must provide only the minimum necessary access to ePHI that is required for a workforce member to do his or her job.
Within the workforce security standard, there are three addressable implementation specifications: (i) authorization and/or supervision; (ii) workforce clearance procedure; and (iii) termination procedures.
The purpose of the supervision implementation specification is to implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed—in other words, to ensure authorized employees have appropriate ePHI access and to restrict unauthorized persons from accessing ePHI. Some risks due to inappropriate authorization include: (i) improper access by an employee or unauthorized person; (ii) accidental deletion; and (iii) unauthorized modification.
Authorization is the process of determining whether a particular user (or a computer system) has the right to carry out a certain activity, such as reading a file or running a program. Supervision applies to employees, maintenance staff, vendors, and contractors working with ePHI or in areas where ePHI might be accessed. While it may be difficult to supervise maintenance staff, vendors, and contractors at all times, there should be procedures in place to ensure they are accountable for their actions.
Company will implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. In other words, the clearance process will establish procedures to verify that a workforce does in fact have the appropriate access for their job function. The need for and extent of a screening process will be based on other protective measures and an assessment of the risks, costs, benefits, and feasibility.
The Company must implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.
Accordingly, the Company will terminate access to ePHI when a workforce member’s employment ends or when an employee’s duties change so that access to ePHI is no longer necessary. Termination of access includes:
Revoking passwords.
Retrieving card keys.
Closing all related accounts.
Requiring return of keys by the employee (or changing locks/reprogramming keypad locks in areas where ePHI is accessible).
Removing the employee from any access control lists.
Providing for physical escort of terminated employee from the premises if necessary.
Monitoring auditing features or accounts that access ePHI to determine if the terminated employee has engaged in any authorized or inappropriate activity.
Requiring the employee, as necessary, to document how they accessed certain files, programs, or systems they have originated or maintained.
Monitor to ensure that access to ePHI has been terminated in a timely manner.
To comply with the Information Access Management standard in the HIPAA Security Rule, by providing information about information access management. Restricting access to only those persons and entities with a need for access is a basic tenet of security.
The Company will control authorization of access to electronic protected health information. Managing information access is done by implementing the following specifications: (1) Isolating Health Care Clearinghouse Functions (Required); (2) Access Authorization (Addressable); (3) Access Establishment and Modification (Addressable).
The Company will: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. The Company will grant access to ePHI only to workforce members who require specific information to accomplish the work responsibilities of their position, and will be granted on a need-to-know basis.
The Company will: Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
THE Company will use appropriate policies to determine the type and extent of authorized access to ePHI. Access to ePHI will be granted only to workforce members who require specific information to accomplish the work responsibilities of their position, and will be granted on a need-to-know basis. Access will be specified, documented, reviewed periodically, and revised as necessary. Access will not be granted until workforce members have been properly cleared in accordance with the appropriate policies and procedures. Workforce members who manage systems containing or transporting ePHI, as well as managers and supervisors of workforce members who use data, shall determine and authorize appropriate access to ePHI systems and document the process for authorizing such access.
The Security Official will define a process for determining access for differing roles, and for Content-based access filters access based on a particular transaction or content. Before granting access, appropriate authorization and clearance procedures must have been followed. When granting access, the Security Official will have a technical process in place, such as creating a unique user name and an authentication process for each individual.
Access authorization should be documented once established. The documentation should describe:
Identification of a staff member to be given access,
Areas to which a staff member is granted access,
Equipment the staff member is allowed to use,
Applications the staff member is allowed to use,
Data the staff member may access, and
Functions the staff member is allowed to perform The Security Official will:
Create and maintain an access control list.
Establish a regular review process to ensure staff access rights are current.
Modify access control lists to reflect terminations and job function changes.
If the Security Official determines that an access permission change is needed, the Security Official will consider the least amount of privilege needed, and separation of duties in making a determination. If a staff person’s duties, role, function, or responsibilities change, the access permissions of that person should be re- evaluated. All modifications and reasons for modification should be documented on the master access list.
To comply with the Security Awareness & Training standard in the HIPAA Security Rule. The Security Awareness & Training standard requires that the Company implement a security awareness and training program for all members of its workforce (including management).
The Company will conduct security training for all new and existing members of the covered entity’s workforce, and will conduct periodic retraining should be given whenever environmental or operational changes affect the security of ePHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.
The Security Awareness and Training standard has four addressable implementation specifications: (i) security reminders; (ii) protection from malicious software; (iii) log-in monitoring; and (iv) password management.
As reasonable and appropriate for an entity, the entity must implement: periodic security updates.
The Company must implement procedures for monitoring log-in attempts and reporting discrepancies. Typically, an inappropriate or attempted log-in is when someone enters multiple combinations of usernames and/or passwords to attempt to access an information system.
The Company will provide training and supporting reference materials to workforce members, as appropriate, to carry out their functions with respect to the security of ePHI. The method of delivery of such training shall be determined by the Security Official. The Company will maintain such records as it deems appropriate that confirm that a workforce member received training. The Company will also include security reminders per the operational specification below.
The Company will implement periodic security reminders, as reasonable and appropriate safeguard for Company. Examples of security reminders include: (i) notices in printed or electronic form; (ii) agenda items and specific discussion topics at regular meetings; (iii) focused reminders posted in affected areas; and (iv) formal retraining on the Company’s security policies and procedures. The Company’s Security Official will document the security reminders that the Company implements, which could include the type of reminder, its message, and the date it was implemented. In addition, Company will ensure that each member of the workforce signs an appropriate confidentiality agreement.
The Company will:
Contact its system vendor to determine how to implement log-in monitoring.
Train its workforce on how log-in monitoring, as appropriate.
The Company will implement procedures for creating, changing, and safeguarding passwords. The Company’s Security Official will train Company’s workforce and establish guidelines for creating passwords and changing them during periodic change cycles. The Company workforce members: (i) May not share their passwords with anyone else; (ii) Need to memorize their passwords; and (iii) Need to use common sense precautions, such as not writing passwords down and leaving them in areas that are visible or accessible to others.
To ensure that Protected Health Information (“PHI”) is appropriately safeguarded when it is sent or received via facsimile (fax) machine or software; and, to ensure the appropriate use of the email system when transmitting PHI.
It is the Company’s policy to protect the electronic transmission of PHI as well as to fulfill our duty to protect the confidentiality and integrity of resident PHI as required by law, professional ethics and accreditation requirements. The information released will be limited to the minimum necessary to meet the requestor’s needs. Whenever possible, de-identified information will be used.
E-mail users will be set up with a unique identity complete with unique password and file access controls. E- mail users may not intercept, disclose or assist in intercepting and disclosing e-mail communications.
Users will restrict their use of email for communicating normal business information such as information about general care and treatment of patients, operational and administrative matters, such as billing.
Users should verify the accuracy of the email address before sending any PHI and, if possible, use email addresses loaded in the system address book.
PHI may be sent within a properly secured, internal network of the Company. When sending PHI outside of this network, such as over the Internet, every effort should be made to secure the confidentiality and privacy of the information. Sample security measures include password protecting the document(s) being sent or encrypting the message.
All e-mail containing PHI will contain a confidentiality statement (see sample below).
Sample Confidentiality Statement
The information contained in this e-mail is legally privileged and confidential information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, or copy of this e-mail message is strictly prohibited. If you have received and/or are viewing this e-mail in error, please immediately notify the sender by reply e-mail, and delete this e-mail from your system. Thank you.
Users should exercise extreme caution when forwarding messages. Sensitive information, including resident information, must not be forwarded to any party outside the Company without using the same security safeguards as specified above.
Users should periodically purge e-mail messages that are no longer needed for business purposes, per the Company’s records retention policy.
Employee e-mail access privileges will be removed promptly following their departure from the Company.
Email messages, regardless of content, should not be considered absolutely secure and private. The amount of information in any email will be limited to the minimum necessary to meet the needs of the recipient.
Workforce members should immediately report any violations of this guideline to their supervisor or Privacy Official.
Workforce members may only text PHI through a secure text messaging platform approved by the Company. Other text messaging platforms or methods may not be used.
All messages that reference a patient should contain the patient reference number, as created by the Company.
Patient orders may not be communicated via text.
All data transmitted via the Company’s secure text messaging platform is the sole property of the Company. The Company has absolute right of access to all of the data sent via secure texting and may exercise its right whenever the Company deems it appropriate. The Company also may conduct audits of texted data.
Users of mobile devices are responsible for the physical security of these devices. If a mobile device is lost or stolen, the responsible workforce member must immediately notify the Security Official.
Users should never share logins, passwords, or other security measures for mobile devices.
Workforce members should immediately report any violations of this guideline to their supervisor or Privacy Official.
To comply with the Security Rule requirement that an entity: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
The Standard has two implementation specifications: (1) Integrity controls (Addressable); and (2) Encryption (Addressable).
The Company will implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
In order to determine the technical security measures to implement to comply with this standard, covered entities must review the current methods used to transmit ePHI. For instance, is ePHI transmitted through email, over the Internet, or via some form of private or point-to-point network? Once the methods of transmission are reviewed, the covered entity must identify the available and appropriate means to protect ePHI as it is transmitted, select appropriate solutions, and document its decisions. The Security Rule allows for ePHI to be sent over an electronic open network as long as it is adequately protected.
As reasonable and appropriate for the entity, the entity will: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
As reasonable and appropriate for the Company, the Company will: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
A primary method for protecting the integrity of ePHI being transmitted is through the use of network communications protocols. In general, these protocols, among other things, ensure that the data sent is the same as the data received. There are security measures that can provide integrity controls for ePHI being transmitted over an electronic communications network, such as data or message authentication codes, that the Company will consider. Accordingly, the Security Official will:
Identify scenarios that may result in modification to ePHI by unauthorized sources during transmission.
Identify what security measures are currently used to protect ePHI during transmission.
Identify what security measures can be implemented to protect ePHI during transmission.
Select appropriate solutions.
Document decisions.
Entities use open networks such as the Internet and e-mail systems differently. Currently no single interoperable encryption solution for communicating over open networks exists. Adopting a single industry- wide encryption standard in the Security Rule would likely have placed too high a financial and technical burden on many covered entities. The Security Rule allows entities the flexibility to determine when, with whom, and what method of encryption to use.
The Company will discuss reasonable and appropriate security measures for the encryption of ePHI during transmission over electronic communications networks with its IT professionals, vendors, business associates, and trading partners. The Company will consider the use of encryption for transmitting ePHI, particularly over the Internet. As business practices and technology change, situations may arise where ePHI being transmitted from the Company would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, the entity must encrypt those transmissions under the addressable implementation specification for encryption.