Diagnosing HIPAA Security

A guide to help healthcare organizations understand the HIPAA Security Rule.

Share this eBook!

| 2

Contents

Introduction | 3

HIPAA can seem like a foreign language to even a seasoned

compliance expert. To help you out, we’ve included a glossary of common HIPAA terms in the

appendix of this ebook.

¿Habla HIPAA?

About this ebookWho should read this ebook?

• Doctors,officemanagers,andhealthcarestaff

• Business associates with access to patient data

• AnyoneinterestedinunderstandingHIPAAcomplianceandtheSecurityRule

What does this ebook include?

• OverviewofHIPAAcompliance

• Risksandpotentialpenaltiesofnoncompliance

• DetailedsummaryoftheHIPAASecurityRule

Who is SecurityMetrics?SecurityMetricshashelpedoveronemillionorganizationsjust like yours complywithHIPAA, PCI, andotherman-dates.Oursolutionscombineinnovativetechnologythatstreamlinesvalidationwiththepersonalsupportyouneedto fullyunderstandcompliance requirements. You focusonthemedicalstuff—we’vegotcompliancecovered.

Introduction | 4

‘IknowHIPAAisrequired,andIknowit’simportant,Ijustdon’tknowwhatexactlyHIPAArequiresmetodo.’

Don’t feel bad if this statement sounds all too familiar.Many doctors, nurses, officemanagers, and healthcareprofessionals we talk to share the same confusion overHIPAA compliance. Unfortunately, noncompliance withthe HIPAA standards puts organizations at greater risknowthaneverbefore.

Recentlegislationhasincreasedthegovernment’sabilitytoenforcecompliancewithaggressiveauditsandfines.September23,2013markedthefirstdayofhuntingsea-sonandyoumaybeintheHHSauditcrosshairs.IfyourorganizationisnotactivelyworkingtowardsHIPAAcom-pliance,youareatriskofheavyfinesandpenalties.

Thepurposeofthisebookistohelpyouunderstandwhatchangesweremadeto theHIPAAmandate,howthesechangesaffectyouroffice,andwhatyoucandotopro-tect your organization from the potentially devastatingconsequencesofnoncompliance.

Introduction

That’s more than the populations of New York City, Los Angeles, Chicago, Houston, Denver, and

Seattle combined.

Over 27,000,000 medical records

have been exposed in the last 3 years.

About HIPAA01 Chapter

Share this eBook!

About HIPAA | 6

Privacy Rule ThePrivacyRuleaddressesappropriatePHIuseanddis-closurepracticesbyhealthcareorganizations,anddesig-natestherightforindividualstounderstandandcontrolhowtheirmedicaldataisused.

Security RuleTheSecurityRulesetsstandardsforprotectingPHIthatisstoredor transmitted inelectronic form.TheSecurityRule isdesignedtobeflexibleandscalable toaccom-modatehealthcareorganizationsofallsizesandtechnol-ogysophistication.

Breach Notification RuleTheBreachNotificationRuledetailstheactionsthatmusttakeplaceand theparties thatmustbenotified in theeventofaPHIbreach.

Mostpeople in thehealthcare industryare familiarwiththepurposeofHIPAAcompliance,butnoteveryonereal-izestheHIPAAstandardisactuallyacombinationofthreeseparaterules—thePrivacyRule,SecurityRule,andBreachNotificationRule.

HIPAA comPonenTS

Health Care Providers e.g. doctors, dentists, chiropractors, pharmacies

Health Plans e.g. medical, dental, and vision plans

Health Care Clearinghouses e.g. billing services

WHAT IS A COVERED ENTITY?

Share this eBook!

AboutHIPAA|7

Whathappensifyouarenotcompliant?Herearejustacouple ways that noncompliance with the HIPAA stan-dardscannegativelyaffectacoveredentity:

1. DATA CompromISeFewthingsaremoredevastatingtoahealthcareorgani-zationthantheeffectsofaProtectedHealthInformation(PHI)databreach,whichmayinclude:

• Financial penalties: Ontopoftheseverefineslev-iedbytheHHS,theHITECHActalsogivesstateat-torneygenerals theability to imposecivilpenaltiesonbehalfof state residents for violationsofHIPAASecurityandPrivacyRules.

• Negative publicity: Breaches greater than 500 re-cordsrequirecoveredentitiestonotonlynotifypa-tients affected by the breach, but also themedia.Thisdamagesbrandequityandpubliclyembarrass-estheorganization.

• Loss of patient trust:Accordingtoarecentsurvey,76% of patients state they will stop dealing with an organization responsible for a privacy breach. Losing76%ofyourcustomerswilldefinitelymakeanoticeableimpactonrevenueandinhibityourabilitytoprovidequalityhealthcare.

Buthey,adatabreachwouldneverhappentoyou,right?Evenifthatwerethecase(and by the way, everyone who has ever been breached has had that exact same thought),healthcareorganizationsmaystillbeseriouslypenalizedfornoncompliancethroughHHSaudits.

2. HHS AUDITSSeptember23,2013markedthedeadlineforcovereden-titiestocomplywithHIPAAstandards,andtheHHShasbeguntoaudithealthcareorganizationsandassessfeesofupto$50,000/day/violation.

What could trigger one of these audits?

• Abreachorcomplaintofabreach

• Acomplaintofaprivacyorsecurityviolationbyany-one,includingpatientsandcurrent/formeremploy-ees(Haveyoueverhadanangrypatient?Maybeadisgruntledex-employee?)

• FilingforEHRreimbursements

• BecausetheOCRfeels like it.TheOCRhasstatedonmultipleoccasions that theywill conductauditson randomly selected covered entities. So even ifyouarehidinginthebackrow,theOCRmaystillcallyoutothefrontoftheclass.

AboutHIPAA|8

Changes resulting from the final

omnibus rule not only greatly enhance a patient’s privacy rights

and protections, but also strengthen the ability of [the oCr] to vigorously enforce

the HIpAA privacy and security protections, regardless of whether the information is

being held by a health plan, a health care provider, or one of their

business associates.- Leon rodriguez Director of the HHS OCR

Share this eBook!

HIpAA SeCUrITY rULeAccordingtotheHHS,a major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technolo-giestoimprovethequalityandefficiencyofpatientcare.

Aspreviouslymentioned,theHIPAASecurityRulewases-tablished to provide protection for Electronic PHI (ePHI)when stored, transmitted, ormanaged in any other way.TheSecurityRuleisdividedintothreesections,referredtoas‘safeguards’,witheachsafeguarddividedinto‘standards’,which are further divided into ‘implementation specifica-tions.’Let’sstartwithalookattheAdministrativeSafeguards.

It’simportanttonotethat‘coveredentity’referstoabroadspectrumofhealthcareproviders thatdiffer in termsofsize,purpose,organization,andoverall complexity.Therequirements within the Security Rule are designed tobetechnology-neutralandscalabletoaddressorganiza-tionsrangingfromasmallchiropractorsofficetonationalhealthplans.ThepathtoHIPAAcomplianceisdifferentforeveryorganization,andeachcoveredentitymustim-plementthesecuritycontrolsthatwilleffectivelyminimizetheiruniquesetofrisks.

AboutHIPAA|9

Who is responsible for HIPAA?

Compliance officers, maybe doctors, but most of the

time oFFIce mAnAGeRS. If HIpAA compliance is one of

your responsibilities, violations may put your employment, career,

and livelihood at risk.

Why just the Security Rule?3reasonswhythisebookisfocusedontheSecurityRule

Administrative Safeguards

02 Chapter

Share this eBook!

AdministrativeSafeguards|11

ADmInISTRATIve SAFeGuARDSTheAdministrativeSafeguardsaredefinedas:‘administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect elec-tronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.’

TheAdministrativeSafeguardsarethemostextensiveofthethreesafeguardsandmakeupoverhalfoftheSecuri-tyRulerequirements—andforgoodreason.A 2011-2012 audit conducted by the HHS found that 42% of HIPAA Security Rule violations occurred within the Adminis-trative Safeguard category.

TheAdministrativeSafeguardsareintendedtohelpyourorganization:

• Identifythreatsandvulnerabilitiesthatmayleadtorisk

• Evaluatesecuritycontrolsalreadyinplace

• Implement anddocument appropriate solutions tocorrectsecurityviolations

TheAdministrativeSafeguardsarebrokendownintoninedifferentstandards,solet’sgetstarted.

Safeguards, Standards, and microwaved chickenUnderstandingtheHIPAASecurityRulehierarchy

AdministrativeSafeguards|12

VulNERAbIlITY

1. Technical:• Holes, flaws, weaknesses

in IT systems• Incorrectly implemented/

configured IT systems

2. non-Technical:• Ineffective or non-existent

procedures, policies, standards, guidelines

SeCUrITY mANAgemeNT proCeSSThe SecurityManagement Process ismade up of fourimplementationspecificationsthatarecriticaltoyourPHIsecurity plan. TheHHShas stressed the importance ofthese components, saying they ‘form the foundation upon which an entity’s necessary security activities are built’.Becauseoftheirnotedimportance,wewillgivealittleextraattentiontotheactivitieswithinthisstandard.

To understand the Security Management Process, youmustunderstand risk.And tounderstand risk, youmustunderstandtwoimportantterms—vulnerabilityandthreat,whichareillustratedbythetableontheleft.

THREAT

1. natural:

2. Human:

3. environmental:

• Flood, earthquake, tornado, etc.

• Intentional: network attacks, hacks, unauthorized access to epHI, theft

• Unintentional: inadvertent data entry/deletion, inaccurate data entry, data loss

• power failures, pollution, chemicals, liquid leakage

The potential for a person, event, or action to exploit a specific vulnerability.

A flaw or weakness in procedure, design, implementation, or security control that could result in a security breach.

AdministrativeSafeguards|13

Now thatweunderstand vulnerabilities and threats,wecandefineriskalittlemoreclearly:‘The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trig-ger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur.’

Or in other words...

vulnerabilities and threats are like dynamite and matches. Individually, these items are not necessarily dangerous. It’s only when these two items are combined that serious damage is done. Threat vulnerability

Security Rule

Risk is the likelihood that one of these threats accidentally or intentionally triggers the vulnerability.

Share this eBook!

AdministrativeSafeguards|14

risk AnalysisTheriskanalysisisarguablythemostimportantpartofnotonlySecurityRulecompliance,buttheentireHIPAAstan-dardaswell.Thepurposeoftheriskanalysisistohelpcov-eredentitiesidentify(anddocument!)potentialsecurityrisks(i.e.threatsandvulnerabilities).Everysecurityeffortyouror-ganizationmakeswillbedeterminedbyyourriskanalysis,soit’scriticaltoconductathoroughandaccurateassessment.

WhiletheHHShasnospecifiedmethodofconductingariskanalysis, therearesomegenerallyacceptedsteps thatoutlinetheprocess.Hereisanexampleriskanalysisprocess.

1. Identifythescopeoftheanalysis

2. Gather data

3. Identifyanddocumentpotentialthreatsandvulnerabilities

4. Assesscurrentsecuritymeasures

5. Determinethelikelihoodofthreatoccurrence

6. Determinethepotentialimpactofthreatoccurrence

7. Determinethelevelofrisk

8. Identifysecuritymeasuresandfinalizedocumentation

Thereareseveralreasonswhyeverycoveredentityshouldtake the riskanalysis very seriously.First (andmostobvi-ous),thisprocesswillhelpyouidentifyyourorganization’sgreatestareasofrisk.Second(notsoobviousbutequallyimportant),intheeventofadatabreachorrandomaudit,coveredentitiesthathavenotconductedathoroughandaccurateriskanalysiscanexpecttobehitwithseverefinan-cialpenalties.

TheHHShasstatedonmultipleoccasionsthattheywillmakeexamplesofhealthcareorganizationsthatputPHIat risk. Given the stated importance and heavy conse-quencesassociatedwiththeriskanalysis,youmaywanttoconsiderworkingwithaHIPAAsecurityexpert.

Share this eBook!

AdministrativeSafeguards|15

risk management In theriskanalysisyou identifiedthe threatsandvulner-abilities that expose your organization to potential risk.Nowit’stimetoaddinsomeprotection.

Riskmanagement is the second implementation speci-fication of the Security Management Process. The riskmanagementspecification requiresorganizations to im-plementsecuritycontrolsthat‘reduce risks and vulnera-bilities to a reasonable and appropriate level’. There are manywaystoapproachriskmanagement,butultimatelytheprocesswillconsistofthreemainsteps:

1. Develop and implement a risk management plan Createaplanofattackforhowyouwillevaluate,prioritize,andimplementsecuritycontrols.

2. Implement security controls Beginyourattackonrisk.Implementsecuritymea-suresthataddressthegreatestareasofriskfirst.Prioritizationwillhelpyoumakethebiggestimpactonriskintheshortestamountoftime.

3. Evaluate and maintain security controls Evaluatethesecuritycontrolsyou’veimplementedandbesuretokeepaneyeoutfornewareasofrisk.

Prescription strength HIPAA relief.

Schedule your free consultation today

801.995.6801hipaa@securitymetrics.com

Share this eBook!

AdministrativeSafeguards|16

TheHIPAASecurityRulerequiresyouto‘periodically’completetheriskanalysisandriskmanagementpro-cess,soplanonaformalassessmentatleastonceayear.RememberthatasfarastheHHSisconcerned,ifit’snotdocumented,itneverhappened.Thoroughdocumentationoftheseprocesseswillhelpyouac-curatelyevaluaterisk,becomemoreefficientinyourassessments, and provide protection should theHHSshowuponyourdoorstepforarandomaudit. let’s do a quick recap:

Risk analysis to find risk

Risk management plan to implement security controls

Now we will address what may be the biggest factor in pHI security—your employees.

Share this eBook!

AdministrativeSafeguards|17

Sanction policyThe sanction policy specification of the HIPAA Secu-rityRulerequirescoveredentitiesto ‘apply appropriate sanctions against workforce members who fail to com-ply with the security policies and procedures of the covered entity’.Asanctionpolicypromotescomplianceinseveralways:

• Establishesemployeeaccountability

• Definestheorganization’spoliciesandprocedures

• Detailstheconsequencesemployeeswillfaceiftheyfailtocomplywiththepoliciesandprocedures

Sanctionpoliciesarecommonlyfoundinemployeeman-ualswheretheyareadministeredaspartofthenewhiretrainingprocess.Requireemployeestosignastatementof adherence, which basically states (and documents!)thattheemployeeunderstandsviolationsofsecuritypoli-ciesandprocedureswillresultindisciplinaryaction.

Information System Activity reviewInformationsystemactivityreviewisthefinalimplementa-tion specificationof theSecurityManagementProcess.To complywith this requirement, coveredentitiesmust‘implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports’. The objective of this review is to help covered entitiesidentifywhenthereisamisuseorinappropriatedisclosureofePHI.Aformalpolicythatestablishesregularreviewofinformation systemactivity helpsmake covered entitiesmoretimelyandeffectiveatstoppingdataleakage.

Criminal use of data isn’t a prerequisite for HIPAA

related fines. A breach simply refers to unau-thorized access or in-

appropriate disclo-sure of PHI.

Share this eBook!

AdministrativeSafeguards|18

ASSIgNeD SeCUrITY reSpoNSIbILITYAssignedsecurityresponsibilityisthesecondAdministra-tiveSafeguardsstandard,andtherequirementhereisre-allyquitebasic.Oneindividualatyourorganizationmustbe assigned responsibility for assuring compliance withtheSecurityRule.Whilemanypeoplemayhave certainsecurityresponsibilities,onepersonateachcoveredentitymustberesponsibleforoverallorganizationalcompliance.

WorkForCe SeCUrITYThe workforce security standard basically requires cov-ered entities to ensure appropriate access of ePHI toemployees thatneed it,andpreventaccess toePHI foremployees that don’t. Appropriate access means thatstaffmembersareonlygrantedasmuchaccesstoePHIas required tocomplete their jobs.Thismeanscoveredentitiesmustidentifywhen,why,andhowmuchePHIisneededforeachemployeeorjobfunction.

The implementationspecifications for theworkforcese-curitystandardsinvolvepoliciesandproceduresthatad-dress authorization and supervision of employee ePHIaccess,clearancesforePHIaccess,andterminationpro-ceduresfordiscontinuingePHIaccess.

INFormATIoN ACCeSS mANAgemeNT TheinformationaccessmanagementstandardisanothercontrolintendedtorestrictePHIaccesstoonlyauthorizedindividuals.Ifyou’rehavingamomentofdéjàvuit’sbe-causethisstandardiscloselyrelatedtotheimplementa-tionspecificationsofworkforcesecurity,but informationaccessmanagementfocusesmoreonthetechnologicalcontrolsusedtoprotectePHI.

This standard emphasizes that ‘minimumnecessary’ in-formation isprovidedonly toauthorizedparties.For in-stance, a receptionist or officemanager likelydoesnotneedtoseepatientdiagnosisorprescriptions.Thistypeofinformationshouldonlybeaccessiblebytheindividualwith an entity-approved need to access it.

Implementationofthisstandardwillhelpcoveredentitiesminimize the risk of inappropriate disclosure, alteration,anddestructionofePHI.

Share this eBook!

AdministrativeSafeguards|19

SeCUrITY AWAreNeSS AND TrAININgThe Administrative Safeguards are only effective whenunderstoodandfollowedbyacoveredentity’sworkforce.Thesecurityawarenessandtrainingstandardrequiresse-curity training fornewemployeesandperiodic trainingforexistingstaff.AstheSecurityRulerelatestoePHI,theimplementation specificationsof this standard focusontechnologicaltrainingslikesecurityreminders,protectionfrommalicioussoftware,log-inmonitoring,andpasswordmanagement.

SeCUrITY INCIDeNT proCeDUreSTheSecurityRuledefinesa security incidentas ‘the at-tempted or successful unauthorized access, use, dis-closure,modification,ordestructionofinformationorinterference with system operations in an information system.’Thesecurityincidentstandardrequirescoveredentitiestodefineprocedurestoidentifysecurityincidentsandcreate(anddocument!)aprocessforresponseandreportingofsecurityincidents.

CoNTINgeNCY pLANIt’spossible that anemergencyevent like a fire, naturaldisaster,systemfailure,orotherrandomoccurrencemaycausedamagetosystemsusedtostoreoraccessePHI.ThecontingencyplanstandardrequirescoveredentitiestoputinplacepoliciesandproceduresthatfacilitatedatarecoveryandrestoreaccesstoePHI.

HIPAA Rules of the RoadWhystafftrainingiscriticaltoPHIsecurity

Share this eBook!

AdministrativeSafeguards|20

(ContingencyPlan)Let’stakeabrieflookatthefiveimplementationspecifica-tionsforthisstandard:

• Data backup plan:Createandmaintain retrievableexactcopiesofePHI

• Disaster recovery plan:Haveaplan to restoreanylostdata

• Emergency mode operation plan: Establishproce-duresthatallowyoutoprotectePHIwhileoperatinginemergencymode

• Testing and revision procedures: Test your contin-gencyplansbeforethereisanemergency

• Application and data criticality analysis: Identify software applications used to store, maintain, andtransmit ePHI and prioritize applications for databackupandrestorationprocesses

evALUATIoNAsecurityplan thatprovidesadequateePHIprotectiontodaymaynotbesufficientsixmonthsfromnow,soit’simportant to implement an ongoing monitoring andevaluationplan.TheHHSrequirescoveredentitiesto‘pe-riodically’evaluatesecuritystrategiestoensureappropri-

ateePHIprotection.TheHHSdoesnotdefinehowoftentheseevaluationsmusttakeplace,butcommonpracticecallsforatleastanannualreviewofyourplan’stechnicalandnon-technicalsecuritycontrols.

bUSINeSS ASSoCIATe CoNTrACTS AND oTHer ArrANgemeNTSBusinessassociatepartnershipshelpyourorganizationtobemoreefficientandeffectivewithyourlimitedresourc-es. Unfortunately, it also requires sharing your patients’ePHIwithorganizationsthatmaynottakedatasecurityasseriouslyasyoudo.Themainobjectiveofthisstandardistoallowcoveredentitiestheabilitytoachieveefficienciesthroughbusinessassociatepartnershipswhilemaintain-ingaconcertedefforttoprotectePHI.

The lone implementation specification of this standardrequires covered entities to document that BAs appro-priatelysafeguardePHI,commonlyintheformofwrittencontract. Many covered entities have existing businessassociateagreementsinplacetosatisfyasimilarPrivacyRule standard.However, these contractswill now needtoaddressePHIsecurityandmustbe revised to reflectthesechanges.

Physical Safeguards

03 Chapter

PhysicalSafeguards|22

PHySIcAl SAFeGuARDSThePhysicalSafeguardsaredefinedas:‘physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and en-vironmental hazards, and unauthorized intrusion.’

While the administrative safeguards protect ePHI dur-ingtheday-to-dayactivitieswithinahealthcareorganiza-tion,thephysicalsafeguardsaddprotectionbyrestrictingphysicalaccesstocomputers,buildings,andotherequip-mentthatcontainsorhousesePHI.

cignet Health, 2011$4.3 millionFollowing up on 41 individual complaints of denying patients access to their medical records, OCR launches investigation. After a year of refusing to cooperate with the OCR, Cignet is ordered by the U.S. District Court to produce medical records. OCR ultimately finds Cignet in willful neglect of the Privacy Rule.

Notable HIPAA Settlement:

Share this eBook!

PhysicalSafeguards|23

FACILITY ACCeSS CoNTroLSThisstandardisthefirstoffourthatmakeupPhysicalSafe-guards,andrequirescoveredentitiestorestrictphysicalaccessofsystemsandfacilitiestoauthorizedindividuals.

Think of this standard like ticket ushers at a baseballgame—theynotonly restrictwhocanget intothestadi-um,butalsoregulatewhatsectionsyoucanaccessonceyougetinside.

Hereisaquickoverviewofthefourimplementationspeci-ficationsthatmakeupthefacilityaccesscontrolsstandard:

• Contingency operations: Establish securityproce-duresthatallowfacilityaccesstorestorelostdataintheeventofanemergency

• Facility security plan: Create policies and proce-durestoprotectthefacilityandequipmentfromun-authorizedaccess,tampering,andtheft

• Access control and validation procedures: Imple-mentcontrolstorestrictanindividual’sePHIaccesstoonlythedatarequiredtoperformjobfunctions

• Maintenance records: Document any repairs ormodificationsthataffectthephysicalsecurityofthefacility(e.g.newdoorlocks,surveillancecameras)

WorkSTATIoN USeThisstandardrequirescoveredentitiestoimplementpoli-ciesandprocedurestoensureproperuseofcomputingdevices by employees. These policies and proceduresshoulddocumentrequiredworkstationfunctions,suchasregularupdatestoantivirussoftware,automatic loggingoffafteranextendedperiodofinactivity,andInternetre-strictions.

Keep inmind thatworkstationsare frequentlyusedoff-site, so be sure to create policies and procedures thataddressrisksrelatedtothephysicalsurroundingsoftheworkstation.

For example, in a crowded coffee shop, many people may be able to view sensitive data on your computer.

PhysicalSafeguards|24

WorkSTATIoN SeCUrITYWhilethepreviousstandarddefineshowworkstationus-ers should protect computing devices, the workstationsecuritystandardfocusesonphysicallyprotectingthesedevicesfromunauthorizedusers.Coveredentitiesarere-quiredto ‘implement physical safeguards for all work-stations that access electronic protected health infor-mation, to restrict access to authorized users.’

Everycoveredentityhasauniquepurposeanduse forworkstations,soultimatelyit’suptoyoutodeterminethebest safeguards to protect your organization’s worksta-tions.Yourriskanalysiswillhelpyoudeterminethebestcourseofactiontominimizeriskofunauthorizedaccess.

Remember:Workstation require-ments apply to all computers, laptops, tablets, or other computing devices used to store, access, or transmit ePHI.

maintain your HIPAA HealthWhy now isthetimetofocusonHIPAAcompliance

Share this eBook!

PhysicalSafeguards|25

DevICe AND meDIA CoNTroLSThisstandardrequirescoveredentitiestoestablishpoli-cies and procedures that regulate the acceptance andremovalofhardwareandelectronicmediausedtostoreePHI.Thisincludesbuilt-indigitalstorage(harddrives),aswellasremovablestoragetoolslikememorycards,opti-caldisks,externalharddrives,andUSBflashdrives.

Thereare four implementationspecificationsof thede-viceandmediacontrolsstandard,whichaddressthefol-lowingactivities:

• Disposal:EnsureePHIisinaccessiblebydegaussingstorage(magneticdeletionofelectronicdata),incin-erate the device, or physically damage equipmentbeyondrepair

• Accountability:Maintainarecordofelectronicme-diamovementstoandfromlocationsandindividu-als responsible for hardware and media (chain-of-custody)

• Data backup and storage:Createanexact,retriev-ablecopyofePHI (similar to thedatabackupplanimplementationspecification)

• Media re-use:EnsurepermanentdeletionofePHIbeforestoragedeviceisreissuedforappropriatein-ternalorexternaluse

Technical Safeguards

04 Chapter

Share this eBook!

TechnicalSafeguards|27

TecHnIcAl SAFeGuARDSTheTechnicalSafeguardsaredefinedas:‘the technology and the policy and procedures for its use that protect electronic protected health information and control ac-cess to it.’

As we mentioned earlier, covered entities come in anabundance of shapes, sizes, and complexities, makinguniform implementation requirements impractical andineffective.Toaddressthisissue,theHHSdesignedtheSecurity Rule to be flexible, scalable, and technology-neutral—allowingyoutoimplementsecuritysolutionsthatarereasonableandeffective.

The technical safeguards are an extension of this prin-ciple, andcoveredentitiesmustdetermine the securitycontrols and technologies that are appropriate for theirorganization.

TechnicalSafeguards|28

ACCeSS CoNTroLTheSecurityRulehelpscoveredentitiesprovidemoreef-fectivehealthcarebymakingmedicalinformationmoreac-cessiblewhilekeepingdatasecure.Accesscontrolsmakethispossible.

Accesscontrolsarenetworkpermissions thatgrantusersaccesstocertainsetsofelectronicdata.Onceagain,it’sim-portanttorestrictemployeeaccesstoonlythedataneed-edtoperformtheirjobrole.Theaccesscontrolstandardismadeupofthefollowingimplementationspecifications:

• Uniqueuseridentification:assigneachuserauniquenameornumberforidentificationandtracking

• Emergency access procedure:establishproceduresthatallowyourorganizationaccesstoePHIintheeventofanemergency

• Automatic logoff:implementnetworkcontrolsthatblocksystemaccessafterperiodsofinactivity

• Encryption and decryption: implement technologythatprotectsePHIthoughencryptionanddecryption

How encryption works:1. Data is entered into the computer 2. Before the data is stored/transmitted, it

is transformed into unreadable code3. Only with a special key does the data become readable once again

√ƒ˙∆ø˜ªπ∆ø˙ ¨∫ƒ†£¥¨ƒ¡¨∫¬∑√çπ©∆≠ √ƒ¥˙ ˚∆π ∆ø˙ ¨∫ƒ†πø£¥ ¨ƒ¡¨∫¬∑√çπ√ƒ˙∆ø ˜ ªπ∆ø˙∫ƒ†¢£¥¨ƒ¡¨∫¬∑√çπΩ÷æ“πœß«ßåçΩ≈¥ ≠–•ªº¶•§£ƒ˙ ˆ�π“µπ∆ø˙¨∫ƒ†¥¬ˆ� ˜≈ƒ¥πø£¥¨ƒ¡¨∫¬–ºª•ºß=

Share this eBook!

TechnicalSafeguards|29

AUDIT CoNTroLSTheauditcontrols standard requirescoveredentities to‘implement hardware, software, and/or procedural mechanisms that record and examine activity in infor-mation systems that contain or use electronic protect-ed health information.’Thereportsgeneratedbytheseauditcontrolshelpcoveredentitiesevaluatetheeffective-ness of information system security controls, especiallyin theeventofadatabreach.TheHHSdoesn’t specifywhatdatashouldbecollectedorhowoftenthesereportsshouldbereviewed,souseyourriskanalysistoestablishguidelinesthatmakesenseforyourorganization.

INTegrITYProtectingePHIfromimproperalterationordestructionisanotheroneofthecoregoalsoftheSecurityRule.Theintegritystandardrequirescoveredentitiestoimplementcontrols to prevent unauthorizedmanipulation of ePHI,bothfromtechnicalandnon-technicalsources.Yourriskanalysiswillhaveidentifiedthevulnerabilitiesandthreatsthatput the integrityof yourePHI at risk.Nowyouror-ganizationwillneedtoimplementelectroniccontrolstoreducetheseriskstoanappropriatelevel.

perSoN or eNTITY AUTHeNTICATIoNThisisanotherfairlystraightforwardstandard,whichbasi-callyrequirescoveredentitiestoverifyaperson’sidentitybeforeallowingaccesstosystemsthatcontainePHI.Hereareafewexamplesofgenerallyacceptedmethodsofau-thentication:

• Information known only by the individual:UniqueloginIDsandpasswordcombinations

• Items that the individual possesses:Electronicpasscard, keys

• Biometricidentifiers:Fingerprint,voicerecognition,irisscanning

HHS.gov displays a list of organizations responsible

for breaches affecting over 500 individuals,

commonly referred to in the compliance industry

as the ‘Wall of Shame’.

TechnicalSafeguards|30

(PersonorEntityAuthentication)For all remote access to ePHI, common security prac-tice calls for two-factor authentication, a combina-tionof physical and intellectual validation (e.g. an elec-tronic keycard that requires a matching pin code).Implement authentication controls that are not onlypractical for the day-to-day operations of your organi-zation, but provide adequate protection against thepotentialdamageofunauthorizedsystemaccess.

TrANSmISSIoN SeCUrITYTransmissionsecurityisthefinalstandardofthetechnicalsafeguardsandaddressesthepotentialrisksofunauthor-izedePHIaccesswhiledata is transmittedoveradigitalcommunicationnetwork.A thoroughriskanalysiswill re-quirecoveredentitiestodocumentallinternalandexternalflowsofePHI.Thisdigitaltransmissionmapwillhelpyourorganizationidentifypointsofriskanddetermineappro-priatesecuritycontrols.Theimplementationspecificationsofthisstandardcallforintegritycontrolsthatensuredataisnotalteredduringtransmission.Italsocallsforencryptionsafeguardstorenderanyintercepteddatauseless.Thesespecificationsshouldbeimplementedasneeded.

of all breached records involve

a business associate.

57%

Summary05 Chapter

Share this eBook!

Summary|32

Whew! That’s a lot of information to soak in.With theHIPAA Security Rule, the HHS has provided a way forhealthcareorganizations to takeadvantageof themanybenefitsofePHI,whilemaintainingacommitmenttopro-tectandsecure themedical recordsofpeople incom-munitiesnationwide.

ThisebookismeanttoprovideabasicunderstandingofthepurposeandrequirementsoftheSecurityRule.How-ever,accurateandcompletecompliancewiththeHIPAAmandate will require a thorough analysis of your orga-nization’s policies, practices, and technology. If you arelikemanyhealthcareorganizations,youprobablylackthetime,personnel,andtechnicalexpertisetocompletethisprocessyourself.

SecurityMetricsoffersaffordableHIPAAcompliancesolu-tionsforhealthcareorganizationsofallsizeandcomplex-ity.Our compliance experts provide a guidedpathwayto compliance that won’t overwhelm you or leave youdoubting if your organization has accurately compliedwiththeHIPAAstandard.

Reduce risk, protect your organization, secure patientdata,anddoit rightthefirst timewithSecurityMetrics—yourpartnerinHIPAAcomplianceanddatasecurity.

Summary

HIPAA compliance can be a complicated and time consuming project. SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace.

Contact us for a free HIPAA compliance consultation.

801.995.6801 | hipaa@securitymetrics.com

Appendix|34

AppendixAppendix|34

Appendix|35

BA (Business Associate)- A person or entity that provides ser-vicesto/foracoveredentitythatinvolvetheuseordisclosureofprotectedhealthinformation.

Breach- An impermissible use or disclosure of protectedhealthinformationresultinginsignificantriskoffinancial,repu-tational,orotherharmtotheaffectedindividual.

CE (Covered Entity)-Anyproviderofhealthcareserviceswhotransmitshealthinformationinelectronicform.

ePHI (Electronic Protected Health Information)-PHIcreated,maintained,ortransmittedelectronically.

Final Omnibus Rule- An extension of the HITECH Act that(amongother things)expandspatient rights,assigns liability tobusinessassociates,andincreasespenaltiesforsecurityviolations.

HHS (U.S. Department of Health and Human Services)- ThegovernmentagencyinchargeofprotectingthehealthofAmericansandprovidingessentialhumanservices.

HIPAA (Health Insurance Portability and Accountability Act)- Collectionofstandardsandrequirementsforhealth informa-tioncreatedtoimproveefficiencyofhealthcaresystemsandprotect patient privacy.

HIPAA Audit-Ananalysisused toevaluateanorganization’ssecuritycontrolsandidentifynecessarystepstoachieveHIPAAcompliance.

HIPAA Violation- FailuretoappropriatelyimplementoneormoreHIPAAstandards,requirements,orimplementationspecifications.

HITECH Act (Health Information Technology for Economic and Clinical Health)- 2009 legislativeact that,amongotherthings,implementsaseriesoffinestoenforceHIPAAcompli-anceandrequiresbusinessassociatestoadheretothesamelevelofHIPAAcomplianceascoveredentities.

OCR(OfficeforCivilRights)-SpecificgroupwithintheHHSresponsible for, among other things, enforcement of theHIPAAcompliance.

PHI (Protected Health Information)- Individually identifi-able information collected by a covered entity, which in-cludesname,contactinfo,andsocialsecuritynumber. Click here for a complete list.

Risk-Thelikelihoodathreatwilltriggerorexploitavulnerabil-ity,andtheresultingimpactonanorganization.

Threat-Thepotentialforaperson,event,oractiontoexploitaspecificvulnerability.

Vulnerability- Aflaworweakness inprocedure,design, imple-mentation,orsecuritycontrolthatcouldresultinasecuritybreach.

Terms and DefinitionsClick links for formal definitions and additional resources

Appendix|36

PHySIcAl SAFeGuARDS

Standards Sections Implementation Specifications

Facility Access Controls 164.310(a)(1)

Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)

Workstation Use 164.310(b) (R)

WorkforceSecurity 164.310(c) (R)

Device andMedia Controls 164.310(d)(1)

Disposal (R)Media Re-use (R)Accountability (A)Data Backup and Storage (A)

ADmInISTRATIve SAFeGuARDSStandards Sections Implementation Specifications

SecurityManagementProcess

164.308(a)(1)

Risk Analysis (R)Risk Management (R)Sanction Policy (R)Information System Activity Review (R)

Assigned SecurityResponsibility 164.308(a)(2) (R)

WorkforceSecurity 164.308(a)(3)

Authorization and/or Supervision (A)Workforce Clearance Procedure (A)Termination Procedures (A)

InformationAccessManagement

164.308(a)(4)

Isolating Health Care Clearinghouse Functions (R)Access Authorization (A)Access Establishment and Modification (A)

SecurityAwarenessand Training

164.308(a)(5)

Security Reminders (A) Protection from Malicious Software (A)Log-in Monitoring (A)Password Management (A)

SecurityIncidentProcedures

164.308(a)(6) Response and Reporting (R)

ContingencyPlan 164.308(a)(7)

Data Backup Plan (R)Disaster Recovery Plan (R)Emergency Mode Operation Plan (R)Testing and Revision Procedures (A)Applications and Data Criticality Analysis (A)

Evaluation 164.308(a)(8) (R)

Business AssociateContracts and Other Arrangements

164.308(b)(1) Written Contract or OtherArrangement (R)

TecHnIcAl SAFeGuARDS

Standards Sections Implementation Specifications

AccessControl 164.312(a)(1)

Unique User Identification (R)Emergency Access Procedure (R)Automatic Logoff (A)Encryption and Decryption (A)

Audit Controls 164.312(b) (R)

Integrity 164.312(c)(1)

Mechanism to Authenticate ElectronicProtected Health Information (A)

Person or Entity Authentication 164.312(d) (R)

Transmission Security 164.312(e)(1) Integrity Controls (A)

Encryption (A)

Security Standards overviewR=RequiredA= Addressable

Appendix|37

Diagnosing HIPAA Compliance (Infographic): https://securitymetrics.com/static/docs/pub/infographics/HIPAAcompliance.pdf

An Introduction to HIPAA Compliance (PDF): https://securitymetrics.com/static/docs/pub/intro_to_hipaa.pdf

WhatOfficeManagersNeedToKnowToSurviveHIPAACompliance(webinar):http://www.youtube.com/watch?v=2mZl9F0_Wck

ePHI Mobile Security Best Practices (article): http://www.hitechanswers.net/ephi-mobile-security-best-practices/

The HIPAA Security Rule: Yes, It’s Your Problem (presentation): http://www.slideshare.net/SecurityMetrics/the-hipaa-security-rule-yes-its-your-problem

Additional Resources