How the HIPAA Security Rule Can Guide a Proactive Security Posture
by Kira Caban, Director of Communications, Protenus on September 7, 2016
Being HIPAA-compliant has been a hot topic among healthcare organizations ever since HHS published the HIPAA Security Rule on February 20, 2003. The Security Rule established the standards a healthcare organization had to meet in order to comply with rules set in place to better protect patient privacy. The sad truth is, however, that many organizations do not meet these standards, and now, with healthcare data breaches on the rise, it is more important than ever for organizations to take proactive measures to protect the privacy of their patients.
Overview of the HIPAA Security Rule
The U.S. Department of Health and Human Services (HHS) published the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, this rule required the vast majority of covered entities, with the exception of small healthcare plans, to be in compliance with its standards by April 21, 2005. The standards are divided into five sections:
- Administrative safeguards
- Technical safeguards
- Physical safeguards
- Organizational standards
- Policies, procedures, and documentation requirements.
In this post, we will focus on 145 CFR 164.308 (administrative safeguards) and 145 CFR 164.312 (technical safeguards), because it is here that a proactive patient privacy analytics platform can enable a healthcare organization to use the security rule as a foundation for creating a proactive security posture.
The first question to ask when looking at the HIPAA Security Rule is: what types of organizations are covered by it? The short answer is any organization that maintains and transmits electronic protected health information (ePHI). This includes health plans, healthcare clearinghouses, and healthcare providers. The HIPAA omnibus rule, which went into effect on September 23, 2013, and amended the security rule, extended the list of organizations to include business associates of a healthcare institution.
The HIPAA security rule contains two types of security specifications: required and addressable. An organization must meet the required specifications exactly as they are spelled out in the security rule. On the other hand, addressable specifications give an organization more flexibility. Depending on the size and complexity of the institution, it may determine that implementing specification is not “reasonable and appropriate.” Thus, it may use alternative methods to comply with the specification, but it must then provide an explanation as to how the new method meets the addressable specification.
Leading by Example
45 CFR 164.308 lists the safeguards an organization’s administration must implement in order to comply with the HIPAA security rule. Here are the eight necessary requirements:
- Create a security management process
- Identify the security official in charge of implementing policies and procedures
- Establish workforce security to ensure appropriate access to ePHI
- Manage information access
- Conduct security awareness and training sessions
- Create procedures in the event of a threat to ePHI
- Establish a contingency plan for emergencies, both natural and man-made, including the creation of a data backup plan and recovery plan
- Perform periodic evaluations of how the organization is meeting the requirements established by these standards
Many of these standards have to do with preparing for or preempting a security incident. There is one notable exception: creating a security management process. The HIPAA security rule breaks this standard into four implementation specifications. Again, the first three – performing risk analysis and risk management, as well as establishing sanctions against employees who do not comply with these standards – all focus on preempting a security incident. An analytics platform can play a key role here, especially regarding risk analysis and management. A platform that can adjust monitoring thresholds will enable an organization to stay ahead of threats because it will be able to adapt to the particular risks each organization faces.
The last specification deals with detecting and containing potential threats, and an analytics platform can play an even more critical role here. The last specification states that an organization must “regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” An analytics platform that monitors and analyzes every access to ePHI gives an organization the ability to not just review information system activity periodically, but review such activity continuously. Thus, an organization will be able to quickly determine whether an access was legitimate or not, greatly enhancing that organization’s ability to meet the standards of the security rule.
The HIPAA Security Rule does not limit itself to standards an organization’s administration must meet; it also contains technical safeguards that an organization must implement in order to protect ePHI. 45 CFR 164.312 lists five specific standards:
- Establish access control of the ePHI, such as creating a unique identification for each user and ensuring that procedures are put into place so that users can access ePHI in emergencies
- Implement audit controls to both record and examine any access to ePHI
- Ensure that ePHI is not altered or destroyed
- Create person and entity authentication processes
- Ensure the security of transmitted ePHI
Once again, we see that, in order to meet the standards established by the security rule, an organization must have the capability to track each and every access to ePHI. Only by doing so will an organization be able to identify threats quickly enough to allow security officials to neutralize them. Furthermore, a proactive patient privacy analytics platform must combine this capability with an understanding of how healthcare organizations work. Armed with this understanding, a platform can recognize what records different users normally access and thus recognize when something is amiss, such as when ePHI is being altered or when a user is accessing ePHI without authorization.
Forensics - Taking Patient Privacy Seriously
If an organization is serious about patient privacy, it cannot view the HIPAA security rule as merely a checklist of the minimum standards the government requires that organization to meet. On the other hand, it must work to move past the letter of the rule, and meet the spirit of it, managing and analyzing risks to ePHI and monitoring each and every access to that information in order to detect any possible threats. In short, a healthcare organization must have a privacy program in place if it wants to meet the standards laid out in 45 CFR 164.308 and 164.312 and thus create a posture of proactive patient privacy protection.
There are different types of programs that can help different types of organizations meet their security needs. Protenus’ Privacy Primer is a great place to start to learning about the full spectrum of privacy postures in healthcare today.