Welcome to Part II of this series regarding the HIPAA Security rule. As a reminder, the HIPAA Security Rule is broken down into three specific implementations – Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In this post, we will discuss the specific standards surrounding HIPAA Technical Safeguards, or section 164.312 of the HIPAA Security Rule.
The HIPAA Security Rule defines Technical Safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information (ePHI) and control access to it”. Essentially, these safeguards provide a detailed overview of access and protection of ePHI.
Technical Safeguards can be broken down into the following standards:
- Access Control: This standard requires a covered entity to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights. The Access Control Standard is broken down into four specific implementations:
- Unique User Identification
- Emergency Access Procedure
- Automatic Logoff
- Encryption and Decryption
These implementations ensure that only the correct person is logging on to an electronic device and accessing information on that device in an appropriate manner.
- Audit Controls: Under this standard, covered entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. By implementing this standard, a covered entity can examine its information systems and determine if any security violations are taking place.
- Integrity: The Integrity standard requires the covered entity to implement policies and procedures to protect ePHI from improper alteration or destruction. This standard has one specific implementation:
- Mechanism to Authenticate Electronic Protected Health Information
Under this implementation, the covered entity must have mechanisms in place to ensure that ePHI has not been altered or destroyed in an unauthorized manner.
- Person or Entity Authentication: Under this standard, covered entities must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
- Transmission Security: The final standard requires covered entities to implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. This standard has two specific implementations:
- Integrity Controls
Much of the language surrounding the HIPAA Technical Safeguards can be a little overwhelming, but here are some example practices that covered entities can implement as they strive to get HIPAA compliant:
- Ensure that all staff have unique user IDs/log-in credentials for all workstations and any programs that store or process ePHI. This will allow the HIPAA Security officer or IT administrator to determine exactly which staff member has accessed specific data.
- Create defined roles for staff members within medical software/programs (EMR, scheduling, billing, etc.) based on their job status with the practice. For example, some staff members can be given read-only access, while others can change and edit data.
- Avoid transmitting ePHI over unsecured electronic means such as email. If the covered entity maintains a website, a good practice would be to make sure it does not transmit or store any ePHI unless the website is protected with encryption.
- Update/patch all technological devices that process ePHI regularly. Software can become quickly outdated, it is crucial to implement these updates to stay current with security needs.
These general steps are building blocks towards HIPAA compliance. Annual mandatory HIPAA risk assessments will help covered entities determine any additional vulnerabilities that need to be addressed regarding HIPAA Technical Safeguards.
In closing, the HIPAA Technical Safeguards are an integral part of the HIPAA Security Rule. Keeping in line with the standards mentioned above will allow a covered entity to ensure that it is doing all it can to secure the technology it uses to treat patients.
Please stay tuned for the final part of this series, where we will discuss the standards associated with Administrative Safeguards.
By Anirudh Nadkarni.