HIPAA Security and the Technical Safegaurds
December 2003 Issue
In the last article we covered the physical safeguard standards and have technical safeguards and organizational safeguards remaining. In this article we will cover the five technical safeguard standards in detail and how each one will affect your O&P organization.
The standards in this article are more technical in nature and can be implemented by utilizing several different approaches. So if you have someone on staff who maintains your system, keep them handy to talk to them about options. Otherwise you may want to write down some questions to ask your information technology provider.
1. Access Control Standard
The Access Control Standard implements technical policies and procedures for electronic information systems that maintain electronic protected health information (PHI) to allow access only to those persons or software programs that have been granted access rights as specified in the administrative safeguard standards.
Unique User Identification (Required)
Implementation specification: Assign a unique name and or number for identifying and tracking user identity.
What it means to your organization: Your organization should assign a unique name or number for every staff member that has access via a computer or other electronic device. Based on the assigned name or number, limit and grant access according to the administrative safeguard "information access management" standard. Basically "who" has access to "what information" and "what can they do with the information" (view, update, add, or delete).
Emergency Access Procedure (Required)
Implementation specification: Establish--and implement as needed--procedures for obtaining necessary electronic PHI during an emergency.
What it means to your organization: In situations when normal environmental systems, including electrical power, have been severely damaged or rendered inoperative due to a natural or manmade disaster, procedures should be established beforehand to provide guidance on possible ways to gain access to needed electronic PHI.
Automatic Logoff (Addressable)
Implementation specification: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
What it means to your organization: Your organization must implement procedures that logs a user off after a specific amount of inactivity or use an equivalent measure. For example, locking up the computer with a "password protected" screensaver after a specific amount of inactivity.
Encryption and Decryption (Addressable)
Implementation specification: Implement a mechanism to encrypt and decrypt electronic PHI.
What it means to your organization: First note that this standard applies to electronic PHI that is at rest and NOT being transmitted. The use of encryption, as a method of access control, should be based on your organization's risk analysis. Encryption will require new software or updates to your existing system, and I strongly suggest talking to an information technology (IT) firm to help with your implementation.
2. Audit Controls Standard (Required)
Implementation specification: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI.
What it means to your organization: Your organization is required to record uses within your electronic information system. Basically you must provide audit trail capability within your system which means being able to record and retrieve information on "who" did "what" to electronic PHI and "when" within your system.
3. Integrity Standard (Addressable)
Implementation specification: Implement policies, procedures, and mechanisms to protect electronic PHI from improper alteration or destruction.
What it means to your organization: Often your system has integrity already built in that you may not be aware of, such as error-correcting memory and magnetic disc storage which are ubiquitous in hardware and operating systems today. For your organization, you want to make sure that, if data is updated (altered) or deleted, it is done through a process that ensures integrity, such as an audit trail or processes that employ digital signature or check sum technology. Most of your software will employ such integrity standards, and if your organization utilizes such software exclusively to alter or delete electronic PHI, you would meet this standard.
4. Person or Entity Authentication (Required)
Implementation specification: Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed.
What it means to your organization: Your organization must be able to authenticate that the person that is accessing the electronic PHI is who he or she claim to be. A simple approach is to require a password that the user must enter to log in. Other approaches are to use a "biometric" identification system, "digital signatures," or a "token" system that uses a physical device for user identification.
5. Transmission Security
Implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.
Integrity Controls (Addressable)
Implementation specification: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
What it means to your organization: This basically restates the "integrity" standard we discussed earlier in this article, but it is being applied to electronic PHI data that is being transmitted.
Implementation specification: Implement a mechanism to encrypt electronic PHI whenever deemed appropriate.
What it means to your organization: The Department of Health & Human Services (DHHS) is encouraging organizations that transmit electronic PHI over the Internet to consider the use of encryption technology. If your organization is using dial-up lines, there is less of chance for a breach of security. Your organization should look at its risk assessment/analysis to determine the sensitivity of the data being transmitted and the method of transmission when determining how to address the encryption standard.
In the next article, we will cover the organizational safeguard standards. This will complete the detailed look at all of the Security Rule standards and how each one will affect your O&P organization.
While all information in this article is believed to be correct at the time of writing, this article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult an attorney.
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. Visit www.provaliant.com or contact Provaliant at 480.952.0656.