What Is HIPAA?

The Health Insurance and Portability Accountability Act (HIPAA) is a federal law that was enacted to develop a set of national regulatory standards to ensure the lawful usage and protection of sensitive patient health information in the United States.

Regulated by the Department of Health and Human Services (HHS) along with the Office for Civil Rights (OCR), HIPAA standards require covered entities—healthcare organizations and their business associates—to implement measures to safeguard the security and privacy of sensitive individually identifiable health information. HIPAA violations can have legal and financial ramifications under federal law for a covered entity.

To meet HIPAA requirements, the HHS established two major rules: the HIPAA Privacy Rule and theHIPAA Security Rule. The rules outline three sets of safeguards for maintaining the security of individuals’ protected health information (PHI).

Administrative Safeguards

Administrative safeguards are the policies, practices, and procedures implemented by covered entities under HIPAA requirements to ensure the integrity of individually identifiable health information.

Administrative safeguards include:

1. Security management process: A covered entity is required to implement and execute on certain information security policies. These include risk analyses and management, sanction policies for employees who violate standards, and consistent reviews of information security systems, which include information such as audit logs, employee access reports, and security incidents.
2. Assigned security responsibility: Healthcare organizations should assign a designated security official for implementing and designing the information security policies intended to safeguard patient data, mitigate risk, and maintain compliance with HHS regulations under this individual’s authorization.
3. Workforce security: Organizations must ensure that only the right employees have access to PHI in accordance with the designated policies and procedures of the company including authorization, clearance, and offboarding.
4. Information access management: PHI usage must be managed by establishing processes for provisioning and revoking permissions by healthcare organizations. Furthermore, the level of access employees, contractors, and other concerned individuals have must be determined on the basis of roles and duties.
5. Security awareness and training: Covered entities must provide employees (including management) with training to ensure they understand their responsibilities in regard to protected health information.
6. Security incident procedures: Companies are required to implement security measures for dealing with unauthorized access to PHI and security incidents. This also extends to the mitigation of incidents and unauthorized disclosure of patients’ information.
7. Contingency planning: Plans must be in place regarding data backups and disaster recovery. This serves as a contingency should a covered entity experience an incident. Regular testing and revisions are also a part of this safeguard.
8. Evaluation: Companies must maintain ongoing evaluation and monitoring plans to ensure the effectiveness of their current information security policies and procedures.

Physical Safeguards

Physical safeguards are measures put in place to protect a covered entity’s information systems, buildings, and related equipment from natural and environmental hazards along with unauthorized intrusions and disclosure.

Physical Safeguards include:

1. Facility access control: Covered entities are required to implement measures to restrict access to electronic information systems and the physical locations at which they’re stored. This must be closely aligned with role-based access controls.

2. Workstation security: Workstations and mobile devices (laptops, tablets) that have electronic access to PHI must be secured to prevent unauthorized access.

3. Device and media control: The use of removable media such as USBs and hard drives that contain PHI must be protected to ensure the prevention of unauthorized disclosure.
   

    

Technical Safeguards

Under the security rule, technical safeguards are defined as the policies, procedures, and technological mechanisms covered entities leverage to safeguard electronic protected health information (ePHI) and control the access employees have to it.

1. Access control: Regulation of user access to electronic protected health (ePHI) information by implementation of authentication and strong access controls (e.g., role-based access and just-in-time access) to ensure only authorized persons are accessing sensitive information.

2. Audit control: Utilizing mechanisms for tracking and examining system activity across hardware and software to record modifications in logins, access, and ePHI.

3. Integrity control: Ensuring ePHI integrity by implementing procedures to defend against unauthorized alterations of protected health information and ensure privacy protection.

4. Authentication: Implementing security policies to verify user identities and credentials prior to granting access to ePHI (e.g., single sign-on [SSO], two-factor authentication [2FA], multi-factor authentication [MFA]).

5. Transmission security: Deploying encryption and integrity controls to guard personal health information transmitted electronically over networks against data breaches.

6. Encryption: Using encryption processes to safeguard sensitive information from data breaches when being transmitted electronically or over transmission networks.

   
   

Meeting HIPAA requirements with modern access controls

HIPAA rules and requirements entail necessary security measures for covered entities across the United States, with several physical security and cybersecurity implications. Protecting patient data and personal health information is necessary to ensure the proper functioning of the business and to mitigate the risk of data breaches.

Leveraging next generationidentity governance to automate user access reviews and implement just-in-time access controls can help organizations meet HIPAA regulations and establish an effective compliance program that improves efficiency without sacrificing on security.

To learn more about how ConductorOne can help your team meet these requirements, check out ourproduct tour orchat with us!

Related post → Learn about HITRUST, a certification framework for healthcare information security that helps health tech companies maintain and prove HIPAA compliance.