Technical Safeguards of the Security Rule
The HIPAA Security Rule requires three kinds of safeguards that organizations must implement: administrative, physical and technical safeguards. In this final part of our detailed look at the safeguards, we will be breaking down Technical Safeguards.
Technical Safeguards are defined by HHS as “the technology and the policy and procedures for its use that protect electronic protected health information (ePHI) and control access to it.” This can often be the most challenging regulation to understand and implement. Just as we have seen in the past with other HIPAA requirements, the specific technical safeguards are “addressable” within HIPAA.
Essentially this means that the healthcare organizations should use these security measures and apply them reasonably and appropriately to their specific technologies and company elements. It is important to remember that addressable safeguards are not optional but are just customizable by organization.
Access Control
- Unique User Identification (R): User identification is a way to identify a specific user of an information system, typically by name and/or number. This allows an entity to track specific user activity when that user is logged into an information system. Other organizations may also choose an alternative such as assignment of a set of random numbers and characters.
- Emergency Access Procedure (R): Establish procedures for obtaining necessary electronic protected health information during an emergency. Procedures must be established beforehand to instruct employees on possible ways to gain access to needed EPHI in, for example, a situation in which normal environmental systems, such as electrical power, have been severely damaged or rendered inoperative due to a natural or man-made disaster.
- Automatic Logoff (A): As a general practice, users should logoff the system they are working on when their workstation is unattended. Otherwise it would be the best practice to set up your computer to log you off if unattended for a few minutes.
- Encryption and Decryption (A): Implementing a mechanism to encrypt and decrypt electronic protected health information to protect PHI and PII. This is so that not just anyone can gain access to data and only authorized bodies may see that data based on their roles and necessity to provide a service.
Audit Controls (R)
The Audit Controls standard requires a covered entity to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Luckily, most information systems provide some level of audit controls with a reporting tool. The controls are used for recording and examining information system activity, especially when determining if a security violation occurred. A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use EPHI.
Integrity
- Mechanism to Authenticate ePHI (A): A covered entity must implement electronic mechanisms to validate that electronic protected health information (ePHI) has not been altered or destroyed in an unauthorized manner. Once covered entities have identified risks to the integrity of their data, they must identify security measures that will reduce the risks. Neglecting to do so would place the covered entity as negligent and would suffer a heavy fine if audited or a breach occurs.
Person or Entity Authentication (R)
This requires a covered entity to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. In other words, a means to validate and affirm that the person asking for their personal information is indeed that person and not someone else. A covered entity may use one or more ways to authenticate a person’s identity.
Transmission Security
- Integrity Controls (A): A covered entity must implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (See Physical Safeguards that go over backups and storage). A primary method for protecting the integrity of EPHI being transmitted is through the use of network communications protocols. Ensuring that the data sent is the same as the data received by these protocols, among other things.
- Encryption (A): It’s likely that making a single industry-wide encryption standard in the Security Rule would put a great burden on many cover entities--both financial and technical. The Security Rule allows covered entities the flexibility to determine when, with whom, and what method of encryption to use. Covered entities should consider the use of encryption for transmitting EPHI, particularly over the Internet. Also, where risk analysis shows such a risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.