Welcome back to our series on HIPAA compliance in healthcare industry. In this post, we have set out to decode the labyrinthine standards laid forth by the Department of Health and Human Services’ 1996 HIPAA, and the changes instituted by the HITECH Act of 2009, in order to help you establish your own HIPAA compliance checklist.
Prior to HITECH, healthcare providers faced very few penalties for failing to secure protected health information (PHI). However, the HITECH Act gave those, whose PHI had been compromised, an avenue for recourse and the Office of Civil Rights (OCR) has since levied more than $25 million in fines. As we have discussed earlier, ensuring your team is building HIPAA compliant software is tricky and requires knowledge and expertise to avoid HIPAA data breaches that will negatively impact your business. But there’s more to HIPAA than just finding the growth partner who can ensure your applications and infrastructure are secured against technological exposure. There are a number of safeguards and considerations you must have in place according to the law in order to secure ePHI.
This blog will explore the first two major categories – HIPAA technical safeguards and physical control requirements – that should be on every compliance checklist in order to avoid potential data breach threats.
HIPAA TECHNICAL SAFEGUARDS
The Department of Health and Human Services has written the HIPAA compliant software requirements in a manner that allow companies to approach these standards with methods that are flexible, scalable, and allow for technological neutrality. Despite this in-built flexibility in the requirements, security methods must meet the following standards:
1. Data access controls
Access to ePHI should be granted according to position and job function and only to those cleared to access the data in the system. There are four implementation specifications connected to the Access Controls standard:
- Unique User Identification (Required) – All users must be assigned a unique name/number to which their activity in the system is attached.
- Emergency Access Procedures (Required) – The system must include a method to access ePHI in the event of an emergency.
- Automatic Logoff (Addressable) – Electronic sessions must terminate after a predetermined period of inactivity
- Encryption and Decryption (Addressable) – The system must be able to convert captured data into encoded text and decrypt the same data upon requests for retrieval.
2. Audit controls
The audit control part of HIPAA technical safeguard requirements have no implementation specifications. However, HIPAA requires that a system of recording and examining captured data is in place for systems that contain or access PHI. It is up to the covered entity to determine risk analysis and organizational factors so as to establish proper audit standards.
- Best practices state that your system should log, track, and allow user review of any activity that uses PHI, and allow that data to be sorted by date, time, and user identity. This information should be reviewed regularly.
- Access of audit log must be restricted to authorized individuals, such as your IT team’s security officer, as outlined under the access controls standards.
Integrity safeguard standards require HIPAA compliant software to include methods for verifying that data has not been altered or destroyed without proper authority. Data that is altered or destroyed improperly poses a danger to patients, regardless of intent. There is a single addressable implementation specification associated with the Integrity safeguard:
- Mechanism to Authenticate Electronic PHI – Through the use of deployed antivirus programs and the strict enforcement of access controls and audit procedures, you must have a system in place that ensures PHI has not been altered or destroyed in a way that violates HIPAA.
4. Person or entity authentication
This safeguard requires a covered entity to have procedures or systems in place to verify user identity and that users accessing PHI are authorized to do so. While there are no implementation specifications, entities should:
- Require authorized users to establish a PIN or password to access the system.
- Require the use of a physical item unique to the user (a smart card, token, or key) to access the system.
- Require biometric access verification through the use of fingerprints, voice patterns, facial features, or iris patterns.
5. Transmission security
One of the more challenging HIPAA compliant software requirements to meet, transmission security safeguards require systems to prevent unauthorized access to PHI during the information’s transmission across networks. Whether it’s through email, over the internet, or through a private or point-to-point network, there are two implementation specifications that must be met:
- Integrity Controls (Addressable) – You must include tests within the transmission security safeguards that ensure data remains intact and isn’t destroyed or modified without authorization.
- This can be done through network protocols that ensure data received matches data sent, or through other data or message authentication codes.
- Encryption (Addressable) – The methods used to ensure HIPAA compliance under this implementation specification are the same as those listed above in the requirements for access control. Implementation of effective encryption protocols requires coordination between your organization’s IT department, your vendors, business associates, and trading partners to ensure parity across communications lines.
HIPAA PHYSICAL SAFEGUARDS
The Health and Human Services safeguard standards also apply to the physical location of a system’s servers and hardware. The physical safeguards require procedures, measures, and policies to protect the physical location of systems that access PHI from hazards, both natural and those related to unauthorized access.
1. Facility access controls
HIPAA requires that physical access to your IT systems and the facility in which they are housed is limited to the authorized staff. There are four implementation specifications that must be met:
- Contingency operations – Your organization is required to maintain PHI security, even while operating under contingency protocols during natural disasters or in the event of having to recover data due to hardware failure.
- Facility security plan – HIPAA compliance requirements state that your firm maintains the necessary documentation that defines and outlines the safeguards in place to secure the facility and equipment. This can take a number of forms:
- Private security guards
- Personnel-based measures (ID badges for employees, visitor badges and escorts for non-employees)
- Property controls (equipment tagged or engraved to identify that it’s owned by your organization)
- Security Measures such as signage marking restricted areas, surveillance cameras, and alarms
- Access Control and Validation Procedures – This specification is concerned with aligning role and function of employees and visitors to the appropriate access.
- Maintenance Records – This specification requires the documentation of repairs and changes made to the physical security measures outlined within the Facility Security Plan.
2. Workstation use
HIPAA compliant software requires implementation of policies outlining the proper function, use, and location of workstations able to access PHI. These protocols can be folded into existing protocols outlining appropriate use of business terminals.
- This standard applies to both onsite and offsite workstations used by employees who work from home, in a satellite office, or from another facility.
- Methods of securing terminals could include:
- Operating systems set up to secure user data between sessions, whether a workstation is designed for a single user or for multiple users
- Privacy screens
- Password-protected screensavers
- Automatic workstation log-off
3. Workstation security
A successfully executed HIPAA compliance checklist includes safeguards that must be in place to ensure that the usage of all workstations capable of accessing PHI are restricted to authorized users only.
- Reasonable and appropriate measures must be taken to secure workstations:
- Require users to log into workstations
- Users required to swipe a secure tag in order to use a terminal
- Secure the terminal within a controlled-access room
4. Device and media controls
This standard requires the establishment of 4 implementation policies and procedures that establish the handling requirements for electronic media, which in this context refers to hard drives and other forms of digital memory and storage.
- Disposal (Required) – Electronic media must be made unusable and the data inaccessible upon disposal through methods such as degaussing or physically damaging the item beyond repair.
- Media re-use (Required) – Whether your organization has decided to repurpose all terminals, or your IT department uses storage devices multiple times, it’s vital that your IT department removes PHI from the devices.
- Accountability (Addressable) – Written documentation of actions taken to secure, relocate, or change devices and media. Portable workstations and storage devices pose a special challenge for your organization’s efforts to adhere to HIPAA, and should be a focus when establishing your policies.
- Data backup and storage (Addressable) – This specification establishes requirements allowing your firm to develop procedures for creating and maintaining copies of existing PHI records.
With this blog, we have shared with you an in-depth understanding of the HIPAA Technical safeguards and Physical control requirements needed for systems that access PHI . In the next blog on our HIPAA compliance checklist, we discuss the remaining two categories of HIPAA-established safeguards: Administrative Safeguards and Organizational Safeguards.