HIPAA Security Policy


The HIPAA Security Rule requirements define that Oakland County shall implement and monitor an information management program to secure ePHI stored in systems. The county shall ensure confidentiality, integrity, and availability of ePHI.

To execute the program under HIPAA, the County shall designate a HIPAA Security Officer. The IT compliance function will manage, monitor, and implement requirements of the HIPAA Technology Compliance Program along with other Information Technology, Information Security, and respective business unit leadership. The following will comprise the Security Rule procedures.

  • Information Access Management
    • Workforce Clearance
    • Information Authorization and Authentication
  • Access Authorization and Management
    • Authorization and/or Supervision
    • Tracking and Logging
    • Workforce Termination
    • Emergency Access
    • Periodic Access Review
    • Authentication/Password Management
  • Information Protection
    • Workstation Security
    • System Integrity
  • IT Security Management
    • IT Document Management
    • Assigned Security Responsibility
    • Audit of Security Process
    • Risk Management
    • Information Incident Handling
    • Security Training and Awareness
  • Facility Access


NIST 800-37, Rev 1: Applying the Risk Management Framework

NIST 800-53, Rev 4: Security and Privacy Controls for Federal Information Systems and Organizations

HIPAA Security Rule