Saturday, May 28, 2011

HIPAA compliance

Recently I have been reading a lot of HIPAA privacy/security related technical documents. HIPAA stands for Health Insurance Portability and Accountability Act and aims to protect Protected Healthcare Information (PHI) of US residents. These PHI records are held by insurers, health care clearing houses (e.g. billing services, health care information systems), health care providers, pharmacies, and so on. They are called "covered entities". So, covered entities have your sensitive PHI records. While HIPAA has many rules and regulations, I am particularly interested in HIPAA privacy and security specifications.

Before we go into "how", we first need to understand "what". Specifically,

What is PHI?
What is HIPAA privacy rule?
What is HIPAA security rule?
What does it mean to be HIPAA compliant (only the technical part)?

PHI is any health care related information (health status, medication, payments, etc.) that is held by covered entities that can be linked to an individual user.

HIPAA privacy rules consist of a set of regulations that control the use and disclosure of PHI records held by covered entities. For example, upon request, covered entities should disclose PHI to the individual. Another example, covered entities should inform individuals the use of their PHI records. Recently I had to take an x-ray; the x-ray was transferred electronically between two hospitals (from the one I took it to another hospital that I consulted a doctor). During that process I didn't get to see my x-ray, nor I was aware that it was transferred to the second hospital until I was told by the doctor I consulted that he had a look at my x-ray. To me this is a violation of HIPAA privacy rules as I was not informed beforehand by the first hospital about the use of my x-ray (i.e. PHI record).

HIPAA security rules specify a set of security standards along with either required or addressable specifications. It is primarily concerned with electronic PHI (ePHI) records. For example, it is required to implement auditing and it is an addressable to implement integrity controls. When a safeguard is "required", it should be implemented as specified by the HIPAA security rules, whereas when a safeguard is "addressable", it provide the flexibility to the covered entity to implement the safeguard as deemed appropriate. Note that it is a difficult thing to quantify how much security is required to implement a addressable security rule. Further, it is questionable how one can verify if the implementation of an addressable security safeguard complies with HIPAA rules.

HIPAA security rules are divided into three categories:
1. Administrative safeguards
2. Physical safeguards
3. Technical safeguards


We will focus only on the technical safeguards. In order to be technically HIPAA security compliant, a covered entity should implement all the required safeguards as specified and all the addressable safeguards as deemed appropriate.

Required safeguards:
- Access control
- Unique user identification
- Emergency access procedures
- Audit control
- Person/Entity authentication

Addressable safeguards:
- Access control
- Automatic logoff
- Encryption/decryption
- Integrity (incorrect modifications by authorized users)
-Transmission security
- Integrity controls (unauthorized modif
- Encryption

So, according to the above safeguards, do we need to encrypt PHIs in a closed system which does not travel through an open network? In theory, HIPAA does not specify to. But what about preventing unauthorized access to PHIs? For example, even in a close system, there are individual who should not see PHI records. For example, a database administrator should not see the PHIs stored. Therefore, it is safe to keep the PHI records in encrypted form even in the database (data at rest). Note that data in motion through open networks must be encrypted always to prevent unauthorized access to the PHI records by eavesdroppers.

Having audit controls in place is a required requirement of the technical safeguards. However, HIPAA rules do not specify what or how often should be audited. These are important decisions a covered entity should make based on the risk analysis.

Main References:
http://www.hipaaacademy.net/consulting/hipaaSecurityRuleOverview.html
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

4 comments:

Unknown said...

This is excellent information. It is an amazing and wonderful to visit your blog. So, please keep posting. Altaro Backup

Supremus Group LLC said...
This comment has been removed by the author.
Supremus Group LLC said...

Useful Information, Thank you for sharing the post, helpful for me.
HIPAA Privacy Policy
HIPAA Risk Analysis
HIPAA Privacy Training

Cyber Security Solutions said...

Thank you for sharing informative blog regarding HIPAA Compliance. Every healthcare organization should opt it and have clear knowledge about the cyber security.