Communications/network controls § .308(d)
(1) If an entity uses communications or network controls, its security standards
for technical security mechanisms must include the following:
(i) The following implementation features:
(A) Integrity controls (a security mechanism employed to ensure the validity of the
information being electronically transmitted or stored).
(B) Message authentication (ensuring, typically with a message authentication
code, that a message received (usually via a network) matches the message sent).
(ii) One of the following implementation features:
(A) Access controls (protection of sensitive communications transmissions over
open or private networks so that they cannot be easily intercepted and interpreted
by parties other than the intended recipient).
(2) If an entity uses network controls (to protect sensitive communication that is
transmitted electronically over open networks so that it cannot be easily
intercepted and interpreted by parties other than the intended recipient), its
technical security mechanisms must include all of the following implementation
(i) Alarm. (In communication systems, any device that can sense an abnormal
condition within the system and provide, either locally or remotely, a signal
indicating the presence of the abnormality. The signal may be in any desired form
ranging from a simple contact closure (or opening) to a time-phased automatic
shutdown and restart cycle.)
(ii) Audit trail (the data collected and potentially used to facilitate a security
(iii) Entity authentication (a communications or network mechanism to irrefutably
identify authorized users, programs, and processes and to deny access to
unauthorized users, programs, and processes).
(iv) Event reporting (a network message indicating operational irregularities in
physical elements of a network or a response to the occurrence of a significant
task, typically the completion of a request for information).
AMC Explanation of HIPAA Regulation
Covered entities that use external communication systems, such as the public switched telephone
system, or open networks, such as the Internet, are required to safeguard protected health
information that traverses them. The specified technical security services address network risks
of message interception and interpretation by parties other than the intended recipient.
Additionally, these services protect information systems from intruders attempting to exploit
external communication points such as Internet host systems and telephone switches. In addition
to the other listed precautions, some form of encryption is required when using open networks.