HIPAA Rules for Preventing Security Breaches: What’s Required for Protecting ePHI?

Category

Compliance

HIPAA Rules for Preventing Security Breaches

Image
System Hacked Image.v2

Heads-up, compliance officers: unauthorized access to electronic private health information (ePHI) is very much on the radar of the HHS Office of Civil Rights (OCR), as evidenced by the agency’s Summer 2021 newsletter. Read on for guidance on complying with requirements for protecting ePHI under the HIPAA Security rules.

Inside breaches are a growing concern

Outside hackers are, of course, a major threat. But incidents of healthcare workforce members inappropriately accessing patients’ and residents’ health information, as well as ePHI being left on unsecured servers, are major contributors to security breaches.

In fact, insiders were responsible for 39% of data breaches in the healthcare sector, according to Verizon’s 2021 Data Breach Investigations Report.

With these threats on the rise, it’s more important than ever for HIPAA-covered entities (CEs) to implement authorization and access control policies aligned with requirements under the HIPAA Security rules.

Don’t underestimate the risk – why hackers love ePHI

Consider this: a healthcare data record can fetch up to $250 on the black market. For perspective, the next highest value is $5.40 for a payment card.

According to cyber security experts, medical information is a desirable target for hackers for several reasons:

  • It contains all of an individual’s identifiable markers.
  • It can be used to commit Medicare fraud.
  • It often takes much longer for victims to gain awareness and report ePHI theft, giving cyber criminals a longer time to take advantage of the data.

In addition to providing training on ePHI security policies and procedures, educate managers and staff on why health information is so valuable to hackers to reinforce the “why” behind the rules.

Applicable HIPAA Security Rules and Requirements

HIPAA Security rules include two separate standards that require HIPAA-covered entities to take steps to guard against ePHI data breaches:

  • Information Access Management Standard
  • Access Control Standard

The standards work together to help CEs build a cyber security framework that prevents unauthorized users from accessing ePHI.

Information Access Management: Establish administrative controls

This standard calls for administrative safeguards to help ensure workforce members are only authorized to access the ePHI necessary to do their jobs.

Access Authorization: Who is allowed to see what?

Not every role in your organization requires the same level of access to systems and applications containing ePHI. For example, an administrative assistant most likely doesn’t need to access a resident’s clinical information to carry out job duties.

To that end, CEs must implement policies and procedures that outline how the organization authorizes and grants access to ePHI. Policies may cover:

  • Procedures for requesting, authorizing and granting access to ePHI
  • The person(s) responsible for authorizing access requests
  • Criteria for granting access

Access Establishment and Modification: When and why will we modify ePHI access?

Naturally, CEs will need to change access criteria for individual users or for the organization as a whole (e.g., due to changing levels of responsibility related to promotions or demotions; the need to provide remote access).

CEs need policies to ensure continuous appropriate levels of access. Policies should address how to establish, document, review, and modify user access to workstations, transactions, programs or processes.

Access Control: Implement technical safeguards

The Access Control standard requires CEs to implement technical controls that ensure only individuals approved in accordance to the organization’s Information Access Management Process can access ePHI.

Implementation specifications under this standard include two that are addressable as opposed to required (as noted below). An “addressable” specification means that the CE can evaluate whether implementation is reasonable and appropriate. (And if the CE determines that it isn’t, it must document why, and implement an equivalent alternative that’s deemed reasonable and appropriate.)

Unique User Identification (Required): No two IDs alike

Shared or generic usernames and passwords, although seemingly convenient, remove accountability from individual users. This compromises system security and also makes it difficult to identify breach perpetrators.

That’s why this specification requires CEs to use unique usernames and passwords for every individual granted access to systems containing ePHI.

Emergency Access Procedure (Required): Provide secure access during atypical circumstances

CEs must establish emergency procedures to guide how users will obtain ePHI in situations when normal access procedures are disrupted. Policies should cover a range of possible circumstances, such as loss of power, internet down time, the need to pivot to telework (e.g., during the COVID-19 crisis), and others.

Automatic Logoff (Addressable): Safeguard ePHI when users fail to logoff 

Forgetting to log out before leaving a workstation unattended. Being called away to an emergency.

Failure to manually log out of a system can happen for many reasons.

But by implementing an automatic logoff mechanism that terminates a user’s session after a period of inactivity, organizations reduce the risk of someone maliciously taking advantage of an unattended workstation.

Encryption and Decryption (Addressable): Render at-rest data unusable to hackers

This technical safeguard involves using data encryption methods to render ePHI “unusable, unreadable, or indecipherable to unauthorized users.”

OCR considers “at-rest” ePHI – that is, data in storage – to be secured when it’s encrypted according to guidance in NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices) (SP 800-111).

Encryption solutions are key to preventing data breaches involving lost or stolen devices, such as cell phones, tablets or laptops.

Good to Know: HITECH Cyber Security Safe Harbor Amendment

Implementing recognized cyber security practices not only protects residents from ePHI theft, it also helps offset potential fines and penalties against a CE in the event of a breach.

Under a January 2020 amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH Act), OCR must consider a healthcare organization’s cyber security measures when calculating fines related to a data breach.

So now’s the time to formulate and/or update your ePHI access policies and procedures to ensure compliance with HIPAA Security rules.

Check out other FSA compliance and risk management resources, including our quarterly compliance education packets, which are available to FSA program participants. Not a participant? Learn more here.

Friends Services Alliance (FSA) is a national professional association of values-aligned organizations that serve seniors. Our support services include a team of Compliance and Risk Management experts who have supported organizations in developing and maintaining effective Compliance and Ethics Programs for over 20 years.