Healthcare organizations have become very acquainted with the HIPAA Privacy Rule over the last few years. Privacy officer appointments and employee training have become ubiquitous ever since the Omnibus Rule gave HIPAA some real power.
The Security Rule, though, does not seem to have reached the same level of familiarity. Yes, security officers are also being appointed and training curricula touch on security, but since much of it relates to the technical, back-end nature of systems, details of the Security Rule aren’t as well known throughout organizations.
This is unfortunate, as many of the everyday systems and tools employees use touch PHI, and so are affected by HIPAA and the Security Rule. And as more cloud-based tools are made available to automate and facilitate workflows, organizations could increasingly be putting themselves at risk.
Among the most relevant – but least understood – components of the security rule related to these systems are the technical safeguards. HHS breaks the technical safeguards down into five areas:
1. Access Control.
Who has access to information? Systems must be able to limit access to individuals that need specific information to perform their job. This is typically accomplished through role-based permission settings and other features that are common in cloud-based software: unique usernames, automatic logout, database encryption, etc.
2. Audit Controls.
Is access being monitored and stored? Organizations must have audit control capabilities to review activity of its users. If a breach is discovered, access controls can reveal who accessed what information, and when. HIPAA does not say what data and access must be gathered specifically, so companies must determine appropriate controls based on their own workflows and risk factors.
Can the data be altered or destroyed? This is a critic piece of the rule as the accuracy of health data is vital. Systems must protect data from intentional and accidental interference and disruption, and have mechanisms in place to confirm data validity.
4. Entity Authentication.
Can the identity of a person accessing information be confirmed? Access controls ensure separate logins have access only to specific data, and authentication certifies that the individuals are who they say they are. Verification is typically handled through passwords, but systems are starting to introduce more complex – and safe – methods. Two factor authentication and token-based authentication are becoming more and common.
5. Transmission Security.
Is data exposed when transmitted over an electronic network? HIPAA allows for data to be transmitted over an open network as long as it is protected. Security is achieved through integrity standard controls (e.g., network communication protocols) and data encryption. This safeguard element is probably the most overlooked and potentially exposed through the most commonly used professional communication method today: email. Unless emails are encrypted, they can be exposed to hackers during transit. Many people don’t realize this, and can send ePHI improperly over email.
On the surface, it probably seems like most of the systems we use these days meet these five criteria. What software doesn’t have unique usernames and complicated password requirements? Virtually all cloud-based tools claim some level of data security and integrity. But is it enough? You need to make sure you’re peeling back all the layers of the technical safeguards when evaluating a system’s HIPAA compliance. Remember, ignorance is not a valid excuse for a violation!