HIPAA Security Rules
HIPAA security rules mandate that you have three types of controls in place: Technical safeguards, physical safeguards and administrative safeguards. Some controls will be “Required” while others will be “addressable”, addressable means that it must be implemented if reasonable and appropriate. I would recommend applying them if at all possible.
These are technology solutions that protect PHI. Here are the controls outlined by HSS.gov for this area of safeguards:
Access Control Standards
1. Unique User Identification (Required): This means having a way to identify a user and track that user’s activity when logged into an information system, you need to be able to hold users accountable for their actions.
2. Emergency Access Procedure (Required): You need to establish procedures for obtaining electronic PHI during an emergency. For example during natural disasters, power shortages or manmade disasters.
3. Automatic Logoff (Addressable): Electronic sessions should be terminated after a predetermined amount of inactivity. HIPAA doesn’t specify a time, but I would recommend 2-3 minutes for mobile devices and no more than 20 minutes for workstations.
4. Encryption and Decryption (Addressable): Implement encryption for PHI information.
Audit Control Standards
5. Record activity in your information systems (Required): You must implement hardware, software or procedural mechanisms to record and examine activity on systems that contain or use electronic PHI (ePHI). It’s advisable that these mechanisms produce audit reports.
6. Mechanism to protect PHI(Addressable): You should implement a mechanism to protect ePHI from improper alteration or destruction.
Person or Entity Authentication
7. Authentication (required): Implement procedures to verify that the entity trying to gain access to the ePHI is who they claim to be.
8. Integrity Control (addressable): Implement security measures to ensure the ePHI transmitted over your network is not improperly modified without detection until it is disposed of.
9. Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.
HIPAA Physical Security Safeguards
Physical Security refers to rules, guidelines and security devices that protect physical access to PHI or equipment holding PHI.
Facility Access Controls
1. Contingency Operations (Addressable): Establish procedures that allow facility access in support of restoration of lost data as part of a disaster recovery plan and emergency mode operations plan.
2. Facility Security Plan (Addressable): Implement policies and procedures to protect your facilities and equipment from unauthorized physical access, tampering and theft.
3. Access Control and Validation Procedures (Addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
4. Maintenance Records (Addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks).
5. Workstation Policies(required): Create policies and procedures that specify the functions to be performed, the manner in which those functions are performed and the physical attributes of the surroundings of a workstation or class of workstations that contain ePHI.
6. Physical Safeguards (required): Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Device and Media Controls
7. Disposal (Required): Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it was stored.
8. Media Secure Wipe before Re-Use (Required): Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
9. Accountability (Addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
10. Data Backup and Storage (Addressable): Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
Administrative safeguards are policies and rules that govern the conduct of the entity’s workforce and the use of security measures put in place to protect a company’s PHI. Administrative requirements comprise over half of HIPAA’s security requirements.
Security Management Process Standard
Risk Analysis (required): Perform and document a risk analysis to see where PHI is being used and stored in order to determine all the ways that HIPAA could be violated.
Risk Management (required): Implement sufficient measures to reduce these risks to an appropriate level.
Sanction Policy (required): Implement sanction policies for employees who fail to comply.
Information Systems Activity Reviews (required): Regularly review system activity, logs, audit trails, etc.
Assigned Security Responsibility Standard
5. Officers (Required) – Designate HIPAA Security and Privacy Officers.
Workforce Security Standard
6. Employee Oversight (addressable): Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
Information Access Management Standard
7. Multiple Organizations (required): Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
8. ePHI Access (addressable): Implement procedures for granting access to ePHI. Document access to ePHI or to services and systems that grant access to ePHI.
Security Awareness and Training Standard
9. Security Reminders (addressable): Periodically send updates and reminders about security and privacy policies to employees.
10. Protection Against Malware (addressable): Have procedures for guarding against, detecting, and reporting malicious software (malware).
11. Login Monitoring (addressable): Implement monitoring of logins to systems and reporting of discrepancies such as multiple failed logins.
12. Password Management (addressable): Ensure that there are procedures for creating and protecting strong passwords. Employees should be required to change passwords periodically, ideally every 6 months.
Security Incident Procedures Standard
13. Response and Reporting (required): Identify, document, and respond to security incidents.
Contingency Plan Standard
14. Contingency Plans (required): Ensure that there are accessible backups of ePHI and that there are procedures for restoring any lost data.
15. Contingency Plans Updates and testing (addressable): Have procedures for periodic testing and revision of contingency plans. Assess the importance of specific applications and data in support of other contingency plan components.
16. Emergency Mode (required): Establish procedures to enable the continuation of critical business processes for protection of ePHI while operating in emergency mode.
17. Evaluations (required): Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
Business Associate Programs Standard
18. Business Associate Agreements (required): Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant. Ensure your partners have similar agreements with any of their partners to which they will be extending access.
HIPAA security rules mandate the proper controls required to protect consumer PHI information. It includes administrative controls which govern the conduct of the workforce. Technical controls, which refers to technologies that keep unauthorized individuals from accessing the information and physical controls that enforce physical access control to the systems holding the PHI.