The Security Rule of
The Health Insurance Portability and Accountability
Act (HIPAA)
Introduction
The HIPAA Security Rule specifically requires training of all members of the workforce. Training must occur initially at hire and updates are required as part of the continued training regimen. This Security Training module is part of that required education. HIPAA Security regulations, in addition to HIPAA Privacy regulations, have existed for over a decade. Recent updates to HIPAA Security regulations have dramatically
increased the requirements for keeping protected health information (PHI) secure. Changes to the rules affect any group or person that creates, receives, maintains or transmits PHI.
A. HIPAA Security Rule, Changes, and Impact
While the HITECH Act, passed in 2009, made sweeping changes to HIPAA, it was the HHS (Health and Human Services) HIPAA Omnibus Rule (published January 2013; effective March 2013; and enforceable October 2013) that finalized interim rules and implemented a number of provisions of the HITECH Act. Significantly, it:
• Defines what a breach is;
• Establishes strict liability for uses and disclosures of PHI that violate the rules; • Defines rules for breach notification; and
• Makes both the covered entity and any business associate liable for aspects of compliance.
The authority to administer and enforce the Security Rule was transferred to Office of Civil Rights (OCR) on July 27, 2009. The Omnibus rule grants OCR the authority to respond to any complaints, including investigating, determining whether a violation occurred by a covered entity or business associate, and assessing monetary penalties for each violation.
Violations of HIPAA can be very costly. In addition to fines levied by HHS/OCR, additional criminal and civil suits may follow. Additionally, the fines do not cover the costs of the investigation to the covered entity. The investigations are generally in excess of 18 months and require significant involvement by the employees of the covered entity. If OCR finds that a violation or violations have occurred, it will issue a mandatory
“corrective action plan” (CAP) which results in the use of additional resources and staff time by the covered entity to comply with the CAP.
Some recent settlements between covered entities in higher education and the OCR include:
• UCLA (2011): $865,500 • Idaho State (2013): $400,000
• Columbia University with New York Presbyterian Hospital (2013): $4,800,000 Again, these figures do not include the work related to the investigation nor the CAP. There are no estimates to the loss of revenues related to public image damage.
B. Protecting Credentials
A login credential is the mechanism used to confirm the identity of a user and
consequently provide that user appropriate access to data. Computer systems often use a username and at least one of three authentication methods:
• Something you know, such as a password;
• Something you have, such as certificate, computer, or email address; or • Something you are, such as your fingerprint.
In most cases, login credentials consist of a username and password. While users are commonly assigned a permanent username, passwords can be changed periodically as needed. It is critical to create and keep secure credentials as they provide a mechanism to safeguard PHI.
Passwords must be constructed in a way that prevents hackers from using sophisticated software to guess what it is. Strong passwords are long, complex, and comprised of letters, numbers and special characters. Remember: “Longer is Stronger.” UW-Madison IT Security has developed a set of standards for how best to construct passwords:
https://www.cio.wisc.edu/policies-password.aspx. Additionally, to keep passwords secure, they should be changed every 180 days.
Because credentials such as username & password are used to uniquely identify individuals, they should never be shared with others. Additionally, passwords should never be written down. It can be difficult to recall multiple passwords, especially when changing them frequently so it is suggested that a program called a password manager be used. Password managers usually enable the use of one master password to access the repository of all passwords while storing them securely. The DoIT tech store has the password manager, LastPass, available at no cost. UW-Madison IT Security website lists Password Safe and Mac OS X Keychain as suggestions for additional password manager options.
To access the training video on protecting credentials that is part of this security training module, please log in to the HIPAA Training Course through Learn@UW.
C. Portable Devices
Portable devices can be easily carried outside of the University or Health Care
Component and used in uncontrolled environments. As with any powerful tool, you must exercise care to reduce the risks associated with using a portable device. Loss, theft, or compromise by malware of portable devices poses a significant risk to the confidentiality, integrity and availability of PHI.
To address these risks, all portable devices used for business purposes – which include both portable computing devices and portable media – shall be managed by following processes through the life cycle of the device, which includes setup, use, and eventual disposal.
1. Definitions:
Portable computing devices include but are not limited to: notebook & handheld
computers, tablet computers, iPads, Android devices, smart phones, and iPhones. These devices are used to create, view, modify, update, transmit, process, collect, store or delete data.
Portable Media refers to any data storage media that is intended to be removed from
its computing device, including but not limited to CDs, DVDs, portable hard drives, thumb drives, USB external memory, memory sticks, Secure Digital cards, and Compact Flash cards.
2. Your Responsibilities:
It is crucial to understand that any device used for University-related work falls under these requirements, including those devices that are personally owned. No portable device used for business purposes may be shared with anyone unauthorized to access PHI, including family members.
All portable devices to be used for business purposes must be approved and registered with your departmental IT group or your local HIPAA Security Coordinator. It is your responsibility to take your device to your local IT group of campus IT for registration.
When you take your device to be registered, your departmental IT group, HIPAA Security Coordinator, or campus IT Security will ensure that appropriate encryption is enabled on the device before PHI has been processed through the device. They will also ensure recovery mechanisms are in place and carefully controlled, as well as train you on how to decrypt information for your work. Device encryption applies to both portable computing devices and portable media. They will also ensure
appropriate device password protection is enabled, and the ability to remotely wipe PHI data from the device is activated, in case of loss.
Any loss, theft, or suspected malware infection of a device must be immediately reported to your local/departmental IT office or the DoIT Help Desk (264-HELP) and the HIPAA Privacy Officer. Your HIPAA Security Coordinator can assist you with notification as well. Time is of the essence – quick reporting allows a rapid response, which helps with the collection of forensic information. This can lead to an effective mitigation effort and avoid a potential breach.
You are accountable to ensure that your portable device is continuously updated; the devices are subject to all campus, local and departmental workstation security policies. In some departments, local IT may also be responsible for updates to portable devices. Confirm with your local IT group that they will continuously monitor and maintain your portable device. Also, always use an external name and address label on your device to facilitate recovery if lost.
When your device will be retired from use for business purposes or replaced by a new device, it must be reviewed by departmental IT staff for disposal or removal of data.
Data security is the obligation of all UW-Madison employees who use portable devices for University-related work.
D. Electronic Communication
Email and text message systems are capable of storing and transmitting messages that contain sensitive information so it is necessary to take measures to minimize the risk of data loss. Do not use text messaging to send protected health information (PHI). PHI should be sent using email only when necessary to conduct your work and only as outlined here.
All faculty, staff and students in the Health Care Component must use email addresses provided by UW-Madison for business-related communication. These email addresses always end in wisc.edu (including specialized emails like fammed.wisc.edu) or
uwhealth.org.
Use of personal email addresses (such @gmail.com or @outlook.com) for business purposes is prohibited. University-provided accounts used for business purposes must never forwarded – whether automatically or for any individual email – to any personal external email provider outside of the ”wisc.edu” or “uwhealth.org” domains.
Email containing PHI may be sent outside the “wisc.edu” or “uwhealth.org” domains only under the following limited circumstances:
1) When a patient requests communication via email, has been advised of the risks of communicating PHI via email, and agrees to the use of email through a written consent form; or
2) When an email communication outside of UW is required for treatment or other business-related purposes and the email is sent encrypted using a mechanism approved by your local HIPAA Security Coordinator, in conjunction with UW Madison IT Security.
All electronic messages containing PHI must include a privacy statement notifying the recipient of the insecurity of electronic messaging (See Policy 8.6 for template language).
Senders should also consider including a contact to whom a recipient can report a misdirected message.
If you intend to send email containing PHI to patients, please review UW-Madison’s policy (8.6) on use of email (at hipaa.wisc.edu ) and any policies of the health care facility where you are providing care or other services. If you have any questions, please contact the HIPAA Privacy Officer.
E. Social Engineering & Phishing
“Social engineering”, in the context of information security, refers to the psychological manipulation of people into divulging confidential information. Social engineering involves tricking the target for the purpose of information gathering, fraud, or system access. It differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
“Phishing” is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a
trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware, designed to infect your computer. Phishing is typically carried out by email spoofing, and it often directs users to enter details at a fake website with a look and feel almost identical to the legitimate one. Phishing is an
example of a social engineering technique used to deceive users.
To access the training video on social engineering and phishing that is part of this security training module, please log in to the HIPAA Training Course through Learn@UW.
F. Security Incidents
A Security Incident refers to an event in which the confidentiality, integrity, or
availability of sensitive information including protected health information (PHI) may have been compromised. Examples of security incidents include, but are not limited to: a lost or stolen device, stolen credential such as a password, device compromised by malware or other means of remote entry, physical access to restricted areas by
unauthorized personnel, or denial of service (DOS) attack which prevents a device from being properly accessed. Security incidents can also arise in the absence of mal-intent such as through use of incorrect email addresses or distribution lists.
Any suspected or confirmed security incident must be reported immediately to your unit’s IT group and/or the DoIT Help Desk and the UW HIPAA Privacy Officer. All thefts should also be reported to the UW Police Department or the local police department where the theft occurred.
In cases where it is known or it is likely that a security incident is ongoing, steps must be taken to mitigate further risk of data breach. This may include removing a device’s access to the network, blocking traffic from specific hosts, disabling an account or remotely disabling or erasing a portable device. When possible, care must be taken to prevent the destruction of forensic evidence.
G. Account Creation and Access Control
Access to PHI must be restricted to only those individuals who are authorized to change and/or view the data as part of their job duties. Any access by individuals to datasets containing PHI is to be granted by the dataset custodian who is either responsible for the research (usually the principal investigator) or other use of the data, such as quality improvement.
Individuals should only be given a user account at the request of a specified account requestor (someone with the authority to request the creation of a user account, such as a supervisor) and all account holders must complete all applicable UW HIPAA training before accessing PHI. Administrative staff must be promptly notified by the account requestor of any change in status of an account holder that may affect their access rights, including their right to hold an account. Accounts may be terminated in accordance with guidelines defined by the department, e.g.:
• The account requestor specifies that the account be terminated; • The account has been determined to be abandoned; or
• The account holder has violated HIPAA policy.
All accounts must be tracked with a history of creation, modification or deletion that is kept for six years. The dataset administrator should maintain an account and access record for all account holders with access to each PHI dataset.
