HIPAA from InfoSec Viewpoint
Health Insurance Portability and Accountability Act, HIPAA, has 4 elements: HIPAA Security Rule, HIPAA Privacy Rule, HIPAA Enforcement Rule, and HIPAA Breach Notification Rule
1. HIPAA Security Rule
The HIPAA Security Rule like any other security standards requires 3 type of controls: Administrative, Physical, and Technical. Actually HIPAA calls them safeguards, the same terminology that is used in PCI DSS (PCI uses both control and safeguard)
As mentioned above, the HIPAA Security Rule has its own 3 parts:
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
All these three parts have their implementation specifications. Some of those implementation specifications are required which must be implemented. Some of them are addressable. Addressable ones must be implemented only if it is reasonable and appropriate to do so. In either cases, your choice must be documented as HHS says:
“for each addressable specification:
a. implement the addressable implementation specifications;
b. implement one or more alternative security measures to accomplish the same purpose;
c. not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented.”
Bear in mind that addressable implementation specifications are not optional. If you are in doubt, you should implement them.
1.1. Technical Safeguards
HIPAA technical safeguards is about the technologies you use to protect PHI (or ePHI) and control the access to PHI. HIPAA Security Rule does not require you to use a specific technology, they call it Technology Neutral.
HIPAA has five different sub-sections under the technical safeguards section:
- Access Control
- Audit Controls
- Person or Entity Authentication
- Transmission Security
You can find all of them in detail in one pdf file here.
If you need just a brief explanation of the standard, you can use the following list:
1.1. Access Control, Unique User Identification (required): A unique name or number is needed to identify and/or track the users.
1.2. Access Control, Emergency Access Procedure (required): Establish procedures for obtaining necessary ePHI during an emergency.
1.3. Access Control, Automatic Logoff (addressable): Implement a mechanism to terminate an electronic session after a pre-determined time of inactivity.
1.4. Access Control, Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
2.0. Audit Controls (required): Implement mechanisms to record and examine activity in information systems that contain or use ePHI.
3.0. Integrity, Mechanism to Authenticate ePHI (addressable): Implement mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
4.0. Person or Entity Authentication (required): Implement procedures to verify that an object seeking access to ePHI is the one claimed.
5.1. Transmission Security, Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not modified until disposed of.
5.2. Transmission Security, Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.
1.2. Physical Safeguards
Physical Safeguards are kind of controls to avoid, detect, counteract, or minimize security risks to physical property, computer systems, assets, and information like ePHI.
HIPAA Physical Safeguards has 4 sections:
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
Again you can summarize the safeguards into this short list:
1.1. Facility Access Controls, Contingency Operations (addressable): Establish procedures that allow facility access in support of restoration of lost data under the DRP and emergency mode operations plan in case of an emergency.
1.2. Facility Access Controls, Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
1.3. Facility Access Controls, Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
1.4. Facility Access Controls, Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
2.0. Workstation Use (required): Implement policies/procedures to specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
3.0. Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
4.1. Device and Media Controls, Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
4.2. Device and Media Controls, Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
4.3. Device and Media Controls, Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
4.4. Device and Media Controls, Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
1.3. Administrative Safeguards
Administrative controls are the process of developing and ensuring compliance with policy and procedures which you can define them here as a set of policies and procedures to govern the conduct of the workforce, and the security measures in order to protect ePHI.
Administrative controls of HiPAA has the longest list among the others and fall into 9 categories. They are described here in a pdf file.
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
Again this is the summary of the administrative safeguards as a cheat-sheet:
1.1. Security Management Process, Risk Analysis (required): Perform and document a risk analysis to see if PHI is being used and stored in order to determine all the ways that HIPAA could be violated.
1.2. Security Management Process, Risk Management (required): Implement sufficient measures to reduce these risks to an appropriate level.
1.3. Security Management Process, Sanction Policy (required): Implement sanction policies for employees who fail to comply.
1.4. Security Management Process, Information Systems Activity Reviews (required): Regularly review system activity, logs, audit trails, etc.
2.0. Assigned Security Responsibility, Officers (required): Designate HIPAA Security and Privacy Officers.
3.0. Workforce Security, Employee Oversight (addressable): Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees.
4.1. Information Access Management, Multiple Organizations (required): Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
4.2. Information Access Management, ePHI Access (addressable): Implement procedures for granting access to ePHI that document access to ePHI or to services and systems that grant access to ePHI.
5.1. Security Awareness and Training, Security Reminders (addressable): Periodically send updates and reminders about security and privacy policies to employees.
5.2. Security Awareness and Training, Protection Against Malware (addressable): Have procedures for guarding against, detecting, and reporting malicious software.
5.3. Security Awareness and Training, Login Monitoring (addressable): Institute monitoring of logins to systems and reporting of discrepancies.
5.4. Security Awareness and Training, Password Management (addressable): Ensure that there are procedures for creating, changing, and protecting passwords.
6.0. Security Incident Procedures, Response and Reporting (required): Identify, document, and respond to security incidents.
7.1. Contingency Plan, Contingency Plans (required): Ensure that there are accessible backups of ePHI and that there are procedures for restore any lost data.
7.2. Contingency Plan, Contingency Plans Updates and Analysis (addressable): Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
7.3. Contingency Plan, Emergency Mode (required): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
8.0. Evaluations (required): Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
9.0. Business Associate Agreements (required): Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant.
For detailed information and better understanding of HIPAA security rule, consult NIST SP 800–66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
2. HIPAA Privacy Rule
HIPAA Privacy Rule regulates the use and disclosure of PHI held by Covered Entities. Covered entities in HIPAA are health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. By law, the HIPAA Privacy Rule applies only to covered entities. However, most health care providers and health plans do not carry out all of their health care activities by themselves. They often use the services of other persons or businesses. HIPAA allows covered providers and health plans to disclose protected health information to these Business Associates if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule. Business Associate is defined as a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
3. HIPAA Enforcement Rule
HIPAA Enforcement Rule is about money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations.
Frequent violations are listed on HHS website as:
- Misuse and disclosures of PHI
- No protection in place of PHI
- Patient unable to access their health information
- Using or disclosing more than the minimum necessary protected health information
- No safeguards of ePHI
4. HIPAA Breach Notification Rule
HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. This rule asks the entities to notify HHS if there is any breach of unsecured PHI, and notify the media and public as well if the data breach affects more than 500 individuals.
You can view breaches affecting 500 or more patients here.