HIPAA from InfoSec Viewpoint

Health Insurance Portability and Accountability Act, HIPAA, has 4 elements: HIPAA Security Rule, HIPAA Privacy Rule, HIPAA Enforcement Rule, and HIPAA Breach Notification Rule

1. HIPAA Security Rule

As mentioned above, the HIPAA Security Rule has its own 3 parts:

  • Technical Safeguards
  • Physical Safeguards
  • Administrative Safeguards

All these three parts have their implementation specifications. Some of those implementation specifications are required which must be implemented. Some of them are addressable. Addressable ones must be implemented only if it is reasonable and appropriate to do so. In either cases, your choice must be documented as HHS says:

“for each addressable specification:
a. implement the addressable implementation specifications;
b. implement one or more alternative security measures to accomplish the same purpose;
c. not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented.”

Bear in mind that addressable implementation specifications are not optional. If you are in doubt, you should implement them.

1.1. Technical Safeguards

HIPAA has five different sub-sections under the technical safeguards section:

  1. Access Control
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security

You can find all of them in detail in one pdf file here.

If you need just a brief explanation of the standard, you can use the following list:

1.1. Access Control, Unique User Identification (required): A unique name or number is needed to identify and/or track the users.

1.2. Access Control, Emergency Access Procedure (required): Establish procedures for obtaining necessary ePHI during an emergency.

1.3. Access Control, Automatic Logoff (addressable): Implement a mechanism to terminate an electronic session after a pre-determined time of inactivity.

1.4. Access Control, Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.

2.0. Audit Controls (required): Implement mechanisms to record and examine activity in information systems that contain or use ePHI.

3.0. Integrity, Mechanism to Authenticate ePHI (addressable): Implement mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

4.0. Person or Entity Authentication (required): Implement procedures to verify that an object seeking access to ePHI is the one claimed.

5.1. Transmission Security, Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not modified until disposed of.

5.2. Transmission Security, Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.

1.2. Physical Safeguards

HIPAA Physical Safeguards has 4 sections:

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

Again you can summarize the safeguards into this short list:

1.1. Facility Access Controls, Contingency Operations (addressable): Establish procedures that allow facility access in support of restoration of lost data under the DRP and emergency mode operations plan in case of an emergency.

1.2. Facility Access Controls, Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

1.3. Facility Access Controls, Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

1.4. Facility Access Controls, Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).

2.0. Workstation Use (required): Implement policies/procedures to specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.

3.0. Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.

4.1. Device and Media Controls, Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.

4.2. Device and Media Controls, Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.

4.3. Device and Media Controls, Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

4.4. Device and Media Controls, Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

1.3. Administrative Safeguards

Administrative controls of HiPAA has the longest list among the others and fall into 9 categories. They are described here in a pdf file.

  1. Security Management Process
  2. Assigned Security Responsibility
  3. Workforce Security
  4. Information Access Management
  5. Security Awareness and Training
  6. Security Incident Procedures
  7. Contingency Plan
  8. Evaluation
  9. Business Associate Contracts and Other Arrangements

Again this is the summary of the administrative safeguards as a cheat-sheet:

1.1. Security Management Process, Risk Analysis (required): Perform and document a risk analysis to see if PHI is being used and stored in order to determine all the ways that HIPAA could be violated.

1.2. Security Management Process, Risk Management (required): Implement sufficient measures to reduce these risks to an appropriate level.

1.3. Security Management Process, Sanction Policy (required): Implement sanction policies for employees who fail to comply.

1.4. Security Management Process, Information Systems Activity Reviews (required): Regularly review system activity, logs, audit trails, etc.

2.0. Assigned Security Responsibility, Officers (required): Designate HIPAA Security and Privacy Officers.

3.0. Workforce Security, Employee Oversight (addressable): Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees.

4.1. Information Access Management, Multiple Organizations (required): Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.

4.2. Information Access Management, ePHI Access (addressable): Implement procedures for granting access to ePHI that document access to ePHI or to services and systems that grant access to ePHI.

5.1. Security Awareness and Training, Security Reminders (addressable): Periodically send updates and reminders about security and privacy policies to employees.

5.2. Security Awareness and Training, Protection Against Malware (addressable): Have procedures for guarding against, detecting, and reporting malicious software.

5.3. Security Awareness and Training, Login Monitoring (addressable): Institute monitoring of logins to systems and reporting of discrepancies.

5.4. Security Awareness and Training, Password Management (addressable): Ensure that there are procedures for creating, changing, and protecting passwords.

6.0. Security Incident Procedures, Response and Reporting (required): Identify, document, and respond to security incidents.

7.1. Contingency Plan, Contingency Plans (required): Ensure that there are accessible backups of ePHI and that there are procedures for restore any lost data.

7.2. Contingency Plan, Contingency Plans Updates and Analysis (addressable): Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.

7.3. Contingency Plan, Emergency Mode (required): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.

8.0. Evaluations (required): Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.

9.0. Business Associate Agreements (required): Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant.

For detailed information and better understanding of HIPAA security rule, consult NIST SP 800–66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

2. HIPAA Privacy Rule

3. HIPAA Enforcement Rule

Frequent violations are listed on HHS website as:

  1. Misuse and disclosures of PHI
  2. No protection in place of PHI
  3. Patient unable to access their health information
  4. Using or disclosing more than the minimum necessary protected health information
  5. No safeguards of ePHI

4. HIPAA Breach Notification Rule

You can view breaches affecting 500 or more patients here.

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB