• No results found

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

N/A
N/A
Protected

Academic year: 2021

Share "HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

HIPAA SECURITY RULES FOR IT:

WHAT ARE THEY?

HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule.

The HIPAA Security Rule outlines how

“electronic protected health information” (ePHI) must be handled. Below, we outline the parts of the HIPAA Security Rule that affect IT most.

What is the HIPAA Security

Rule?

First, let’s be clear about the Security Rule. It’s not a rule – it’s a whole bunch of rules that fall under HIPAA.

The U.S. Department of Health and Human Services defines the Security Rule as the following sections of the Code of Federal Regulations Title 45:

Part 160 – General Administrative Requirements

Part 164 – Subpart A – General Provisions

Part 164 – Subpart C – Security Standards for the Protection of Electronic Protected Health Information

(2)

Here’s the thing: only the last section above has a large number of

requirements for IT. The rest of the Security Rule may be important for your lawyer or compliance officer to review, but it’s not something you will deal with regularly.

Important parts of the HIPAA Security Rule

So now that we’ve narrowed down the most important section of HIPAA for IT providers, let’s outline the five main parts of the Security Rule to be aware of:

1. 164.308 – Administrative safeguards 2. 164.310 – Physical safeguards

3. 164.312 – Technical safeguards

4. 164.314 – Organizational requirements

5. 164.316 – Policies and procedures and documentation requirements

#1: Administrative safeguards (§164.308)

Administrative Safeguards are the elements that have to be in place to manage a healthcare provider’s security.

They are functions that are designed to help manage, execute, and evaluate security measures that protect ePHI. They also help ensure proper

management of business associates so that ePHI is properly protected.

Examples of the Administrative Safeguards that apply to any HIPAA-covered healthcare provider:

Evaluations of existing security measures, as well an analysis of potential risks and vulnerabilities to ePHI

(3)

Sanctioning system for those who fail to comply with security policies

Review procedures for information system activity

Identification of officials who implement security policies and procedures ( i.e. “assigned security responsibility”)

Authorization measures to protect ePHI from unauthorized access or use

Clearance procedures provided for workforce members, as well as mandatory security awareness and training programs

Response and reporting procedures for addressing security incidents, such as physical break-ins, virus attacks, and lost or stolen passwords

Contingency plans to respond to disruptions in critical business operations

#2: Physical safeguards (§164.310)

Physical safeguards prevent thieves from grabbing a system and running out the front door. They are the measures that physically protect information systems, as well as the buildings and equipment that handle or store healthcare data.

These safeguards are fairly straightforward and mostly require organizations to document how they will use, protect, and manage physical information systems. They are broken broken down into the following four types:

(4)

Workstation use – The organization must lay out the appropriate

functions for any electronic computing device, including laptops, desktops, and other devices that store electronic media. Though seemingly mundane, this is an important consideration since inappropriate use (such as using a workstation to visit online gambling sites) can expose the organization to greater risks.

Workstation security – The organization must identify all workstations that have access to ePHI and whether or not access to a workstation needs to be restricted (i.e. keeping a workstation in a locked room).

Facility access controls – Policies that protect and limit access to facilities where information systems are located must also be identified (i.e.

authorization measures, ID badges, surveillance cameras).

Device and media controls – The organization must document and follow measures for handling the receipt and removal of hardware and media that contain ePHI into and out of a facility.

#3. Technical safeguards (§164.312)

The Security Rule gets more specific in the section on Technical Safeguards.

Here HIPAA lists “implementation specifications” for IT systems that will handle and protect ePHI.

For example, standards are included for the following:

Access controls – Healthcare organizations need systems in place to allow access to ePHI only to people and systems that have a legitimate

(5)

reason. The access controls should include unique user identification, emergency access procedures, automatic logoff, and data encryption.

Audit controls – Mechanisms must be in place to record and examine activity in formation systems that contain ePHI. These audits are helpful for determining if a security breach occurred.

Integrity – Policies and procedures must be in place to protect health data from improper alteration or destruction. For example, health organizations need to validate that health data has not been tampered with.

Authentication – People and entities that seek to access ePHI must be verified as legitimate. This can be accomplished by providing proof of identity, such as by supplying a password or pin, smartcard, or a biometric indicator.

Transmission security – ePHI must also be protected from

unauthorized access while in transit. This includes measures to ensure the data has not been modified while in transit, and the use of encryption to protect the data should the transmission be intercepted.

The Technical Safeguards in HIPAA’s Security Rule does list the types of protections healthcare organizations must have in place. However, it stops short of specifying the exact technology they should use (for example, organizations must use “encryption,” but a specific type is not specified).

#4: Organizational requirements (§164.314)

(6)

Healthcare organizations are required to have a contract or other agreement with their business associates under the Organizational Requirements. This section also specifies the criteria for the contracts.

For example, when your client hands you a BA agreement to sign, expect to see clauses that require you to do the following:

Agree to implement safeguards to protect ePHI and ensure that any subcontractors do the same

Agree to report any security incident you become aware of

Authorize the client to terminate the contract if you violate any part of it Note: the Organizational Requirements also include information for group health plans. This section may not affect you, but just be aware that that group plan sponsors must protect any ePHI they work with on behalf of the plan.

This requirement must be listed in the plan document, using language similar to the safeguard requirements in business associate contracts.

#5: Policies and procedures and documentation

requirements (§164.316 )

This section requires healthcare organizations to adopt Policies and

Procedures to meet HIPAA’s guidelines. These items must be documented and maintained, and they can be changed at any time.

In case you are unsure of these terms:

Security policy – a written outline of how you will protect and maintain the organization’s IT assets. The term “policy” may refer to a specific area, such as an email policy, or an overarching plan to protect all IT resources.

(7)

Security procedure – a series of written steps to follow in a given situation. For example, a virus response procedure would list the steps to be taken once a computer on the system was shown to be infected by a virus.

Documentation requirements

HIPAA does not specify the policies and procedures organizations must have in place. However, it does require organizations to have them and document them.

The documents must be maintained for six years after their creation or last effective date, and they must be regularly updated to reflect any changes that may affect the security of ePHI.

Here you can find good examples of security policies and procedures used by the London School of Economics.

Thanks to the “Flexibility of Approach” provisions in HIPAA, your client can tailor their policies and procedures to fit the size and current practices of the healthcare establishment, as long as the following factors are considered:

The size, complexity and capabilities of the organization

The organization’s technical infrastructure, hardware, and software security capabilities

The costs of security measures

The probability and criticality of potential risks to ePHI

(8)

A solid understanding of these four sections of the Security Rule will help you know what type of requirements and safeguards you’ll need to follow when serving your healthcare clients.

References

Related documents

Blended learning, when it is the “ thoughtful integration of classroom face-to-face learning experiences with online learning experiences” (Garrison & Kanuka, 204, 96),

So we face a big agenda: to ensure that Africa is part of a global stimulus plan, to get immediate and adequate support, including to prevent suffering, and to reform the

As the standard macroeconomics textbook presents the economy as a basically self- stabilizing system without cyclical unemployment, it is not surprising that it leaves

If this is a new installation , download version 2009 R4.02 from http://www.serena.com/support and then follow the instructions in the Serena ® Business Manager Installation

Here, public support for innovation is revealed as a key factor for facilitating investments in innovation by LAC manufacturing firms, different from Crespi and Zuñiga (2012)

Identification of camel milk and shubat microflora provides a theoretical foundation for developing starter cultures by using local LAB strains for industrial production of

This longitudinal study enabled the development of “student-centred” personalised learning route through the outcomes of student assessments in for piloting in another module