HIPAA Series Part 3: Technical Safeguards

Welcome to Healthicity’s Health Insurance Portability & Accountability Act (HIPAA) Security Series Part 3: Technical Safeguards. In this eBrief, we’ll examine the Technical Safeguards requirements of the Security Rule.

Five Million Dollar Settlement

A covered entity paid over $5 million to settle with HHS OCR (Office for Civil Rights) over ePHI breach concerns and violations of the HIPAA Security Rule. OCR’s investigation uncovered many concerns and among them were violations of the Technical Safeguards of the Security Rule. Some of these included the requirement to:

• • Implement procedures to regularly review records of information system activity
  • Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights
  • Prevent unauthorized access to the ePHI of 9,358,891 individuals (about half the population of New York) whose ePHI was maintained in the covered entity’s IT systems  What are Technical Safeguards?

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

Interestingly, the Security Rule does not specify technology solutions. HHS does provide some examples of security measures and technical solutions to illustrate the standards and implementation specifications. But these are only examples. There are many technical security tools, products, and solutions that a covered entity may select. As written by HHS, “Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics…”

Access Control

ePHI is special information. Access to it is needed for physicians to write an order, for a nurse to enter notes and for a payor to process claims. Certain authorized individuals and technical systems need access to the information.  Access to ePHI for legitimate purposes must be balanced with its security and prevention of unauthorized access.

The Security Rule defines access as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”   Reading, writing, modifying, and communicating are the life blood activities of medical records and payment systems. Controlling who has access to these activities is an essential technical safeguard.

Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Levels of controls are also important. Not every authorized individual need full access to all ePHI content or systems. Controls should be implemented in a way that users only have access to the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of the Administrative Safeguards section of the Rule.

The Access Control standard requires a covered entity to:

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights…”

Some questions an organization may want to ask in relation to Access Controls include:

• • Does each workforce member have a unique user identifier?
  • What is the current format used for unique user identification?
  • Can the unique user identifier be used to track user activity within information systems that contain ePHI?
  • Do current information systems have an automatic logoff capability?
  • Is the automatic logoff feature activated on all workstations with access to EPHI?

Encryption

Encryption falls under the Access Control standards as well. However, emphasizing encryption as a separate section in the eBrief is appropriate as the number of impermissible disclosures would be significantly reduced if organizations thoroughly and correctly implemented encryption best practices.

In fact, HHS has stated, “If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (i.e., translate) the text and convert it into plain, comprehensible text.”

Think of all the lost or stolen laptops or portable flash drives that contained ePHI. Reviewing the impermissible disclosures tracked by OCR will show how often a lost or stolen device is at the heart of a breach. If these lost or stolen devices had been properly encrypted, there essentially would not have been a reportable breach, as the probability of impermissible disclosure would have been close to zero because of the strength of proper encryption.

Regarding encryption, organizations might consider asking themselves:

• • Which ePHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
  • What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to ePHI by persons or software programs that have not been granted access rights?

The bottom line on encryption? Proper encryption would prevent more impermissible disclosures than any other single activity. This is primarily true because historically so many breaches are due to lost or stolen unencrypted devices.

Conclusion

As with the other eBriefs in this series, it is impossible to comprehensively discuss all aspects of the Technical Safeguards in this eBrief. Other technical safeguards not addressed here include audit controls, integrity controls, transmission security and person or entity authentication. Fully assessing the risks associated with the lack of technical safeguards is an essential part of a HIPAA Risk Analysis and Risk Management Plan which will be the last part of this HIPAA Security eBrief series. Keep an eye out for it.

Download this blog as a PDF, click the button below.