Generally, companies should ensure the confidentiality, integrity, and availability of all electronic Personal Health Information (e-PHI). They must identify and protect against reasonably anticipated threats to the security of the information, they must protect against reasonably anticipated impermissible uses,  and they must ensure compliance by their workforce. 

HHS, who governs HIPAA, understands that companies range from small to large businesses, and therefore can identify what solutions are appropriate for their company, however, some recommended processes, procedures, and controls to implement are:

• Regular risk analyses to:
  • Evaluate the likelihood and impacT of potential risks to e-PHI. 
  • Implement appropriate security measures to address the risks identified.
  • Document the chosen security measures and, where required, the rationale for adopting those measures
  • Maintain continuous, reasonable, and appropriate security protections.
• Designate a security official who is responsible for developing and implementing its security policies and procedures.
• Policies and procedures for authorizing access to e-PHI only when appropriate based on the user or the recipient’s role.
• Provide appropriate training, authorization, supervision, and discipline of workforce who work with e-PHI.
• Limit physical access to facilities while ensuring authorized access is allowed.
• Policies and procedures to specify proper access, use, transfer, and disposal of workstations and electronic media.
• Technical policies and procedures that allow only authorized personnel to access e-PHI.
• Hardware, software, and/or procedural mechanisms to record and examine access and other activity to systems that contain e-PHI.
• Processes and procedures to ensure e-PHI is not improperly altered or destroyed.
• Technical security measures to guard against unauthorized access to e-PHI.