Contributed by Lee Kim, Esquire
lkim@tuckerlaw.com, 412.594.3915
The mention of the HIPAA security rules often provokes an irrational fear in people who are not so technically inclined, but there is a difference between knowing the legal compliance requirements and being an information technology specialist. Here is a simple summary of your security obligations and otherwise recommended practices under the HIPAA security rule. Please note: the HIPAA security rules apply to both covered entities and business associates. Covered entities are obligated to follow the HIPAA security rules and business associates will be obligated to follow them as of February 17, 2010.
In order to have an effective HIPAA security compliance program, the following technical safeguards must be implemented under the current HIPAA Security Rules by both covered entities and business associates:
1) Access control under 45 C.F.R. §312(a).
Policies and procedures must be implemented for information systems that maintain ePHI to ensure that only those persons or software programs that have been granted access rights.
In particular, a unique user identification must be assigned to each user for the purpose of identifying and tracking that user.
Policies and procedures must also be established and implemented as needed for obtaining necessary ePHI during an emergency (e.g., natural or manmade disaster). Key considerations include what situations would require emergency access to ePHI and which people would require emergency access to ePHI in an emergency situation.
* Automatic logoff after a period of inactivity and encryption/decryption of ePHI may be addressed and implemented to ensure access control.
2) Audits on access to electronic protected health information (“ePHI”) under 45 C.F.R. §312(b).
Hardware, software, and/or procedural mechanisms must be implemented which record and examine information systems activity that contain or use ePHI especially in relation to a security incident. The audits may be manual or automated and may involve the use of reports.
The purpose of this measure is to ensure that authorized individuals or entities are accessing the ePHI.
3) Person/entity authentication under 45 C.F.R. §312(d).
Policies and procedures must be implemented for information systems that maintain ePHI to allow access only to persons or entities that are authorized to do so. In other words, authorized users must confirm that they are who they claim to be.
Authentication may be accomplished many ways including by way of information which only the authorized user knows (e.g., a password or PIN), something which only the authorized user possesses (e.g., a smart card, digital signature, token, or a key), or a biometric pattern which is unique to that individual (e.g., a fingerprint, iris pattern, voice pattern, etc.).
4) Integrity of ePHI under 45 C.F.R. §312(c)(1).*
If deemed appropriate, measures must be implemented to protect ePHI from unauthorized alteration or destruction. ePHI may be altered or destroyed intentionally or unintentionally, whether by way of technical or non-technical means.
Regardless of the reason for unauthorized alteration or destruction of ePHI, measures may be implemented to protect the integrity of ePHI. For example, check sum verifications may be done to ensure that the ePHI has not been altered or destroyed in an unauthorized manner. Similarly, ePHI may be digitally signed to ensure that ePHI has not been altered or destroyed in an unauthorized manner.
5) Secure transmission of ePHI under 45 C.F.R. §312(e).*
If deemed appropriate, ePHI must be encrypted to guard against improper modification of ePHI that is being transmitted over an electronic communications network. Key considerations include whether encryption is needed to protect the ePHI during transmission.
* The entity should assess whether the technical safeguard is reasonable and appropriate in the operating environment and whether it is likely to contribute to protecting the entity’s ePHI. If the safeguard is reasonable and appropriate, then it should be implemented. If not, the entity should document why it would not be reasonable and appropriate and implement an equivalent alternative measure, if deemed to be reasonable and appropriate.