The Health Insurance Portability and Accountability Act (HIPAA) contains regulation and requirements associated with the protection of health-related data. There are four rules that organisations need to meet to be compliant in accordance with the act. In this article, we will be looking at the HIPAA Security rule.
The HIPAA security rule necessitates suitable administrative, physical, and technical safeguards to ensure the confidentiality, integrity and security of protected health information.
The HIPAA security rule is made up of three parts:
1. Technical safeguards
2. Physical safeguards
3. Administrative safeguards
Each part of the rule includes implementation specifications. While some of these implementation specifications are set as “required” and others are set as “addressable.” Required implementation specifications need to be implemented for compliance while addressable implementation specifications only need to be implemented if it is reasonable and appropriate to do so, your choice on this must be documented. The addressable implementation specification is not optional, it must be implemented if the situation requires it. When in doubt, you should just implement the addressable implementation specifications.
The technical safeguards concentrate on the technology that protects protected health information and controls access to it. The security rule does not require the use of specific technologies, it was designed to be unbiased towards solutions.
There are five standards listed under the technical safeguards section:
1. Access control
1.1. Unique user identification (required): assign a unique name and/or number for identifying and tracking user identity.
1.2. Emergency access procedure (required): establish (and implement as needed) processes for obtaining necessary electronic protected health information during an emergency.
1.3. Automatic logoff (addressable): implement electronic procedures that terminate an electronic session after a fixed period of inactivity.
1.4. Encryption and decryption (addressable): implement a solution to encrypt and decrypt electronic protected health information.
2. Audit controls(required): implement hardware, software, and/or procedural mechanisms that record and inspect activity in information systems that contain or use electronic protected health information.
3. Integrity – mechanism to authenticate electronic protected health information (addressable): implement electronic mechanisms to verify that electronic protected health information has not been changed or destroyed in an unauthorized manner.
4. Authentication(required): implement measures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
5. Transmission security
5.1. Integrity controls (addressable): implement security processes to make sure that electronically transmitted electronic protected health information is not inappropriately modified without detection until disposed of.
5.2. Encryption (addressable): implement a solution to encrypt electronic protected health information when appropriate.
Physical safeguards are a set of rules and guidelines that focus on the physical access to protected health information.
There are four standards in the physical safeguards section:
1. Facility access controls
1.1. Contingency operations (addressable): establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
1.2. Facility security plan (addressable): implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
1.3. Access control and validation procedures (addressable): implement procedures to control and authenticate a person’s access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision.
1.4. Maintenance records (addressable): implement policies and processes to document repairs and changes to the physical components of a facility which are related to security, for example, hardware, walls, doors and locks.
2. Workstation use(required): implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
3. Workstation security(required): implement physical safeguards for all workstations that access electronic protected health information, to restrict access to approved users.
4. Device and media controls
4.1. Disposal (required): implement policies and procedures to address the final disposal of electronic protected health information, and/or the hardware or electronic media on which it is stored.
4.2. Media re-use (required): implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
4.3. Accountability (addressable): maintain a record of the movements of hardware and electronic media and any person responsible therefore.
4.4. Data backup and storage (addressable): create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
The administrative safeguards are a collection of policies and processes that manage the conduct of personnel, and the security measures put in place to protect electronic protected health information.
The administrative components are critical when implementing a HIPAA compliance program. Organisations are mandated to allocate a privacy officer, complete a risk assessment annually, implement employee training, review policies and procedures, and execute business associate agreements with all partners who handle protected health information.
There are nine standards under the administrative safeguards section:
1. Security management process
1.1. Risk analysis (required): perform and document a risk analysis to see where electronic protected health information is being used and stored in order to determine how HIPAA could be violated.
1.2. risk management (required): implement appropriate measures to reduce these risks to an suitable level.
1.3. Sanction policy (required): implement sanction policies for personnel who fail to comply.
1.4. information systems activity reviews (required): regularly review system activity, logs and audit trails.
2. Assigned security responsibility – officers(required): designate HIPAA security and privacy officers.
3. Workforce security – employee oversight(addressable): implement procedures to authorize and supervise personnel who work with electronic protected health information, and for granting and removing electronic protected health information access to employees. Make sure that an employee’s access to electronic protected health information ends with termination of employment.
4. Information access management
4.1. Multiple organizations (required): ensure that electronic protected health information is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
4.2. Electronic protected health information access (addressable): implement procedures for granting access to electronic protected health information that documents access or to services and systems that grant access to electronic protected health information.
5. Security awareness and training
5.1. Security reminders (addressable): periodically send updates and reminders about security and privacy policies to employees.
5.2 Protection against malware (addressable): have procedures for guarding against, detecting, and reporting malicious software.
5.3 Login monitoring (addressable): institute monitoring of logins to systems and reporting of discrepancies.
5.4 Password management (addressable): ensure that there are procedures for creating, changing, and protecting passwords.
6. Security incident procedures – response and reporting(required): identify, document, and respond to security incidents.
7. Contingency plan
7.1. Contingency plans (required): ensure that there are accessible backups of electronic protected health information and that there are procedures for restore any lost data.
7.2. Contingency plans updates and analysis (addressable): have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
7.3. Emergency mode (required): establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
8. Evaluations(required): perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
9. Business associate agreements(required): have special contracts with business partners who will have access to your electronic protected health information in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.
Learn more about HIPAA compliance in the Cibecs HIPAA white paper, access your copy here