HIPAA Technical Safeguards

Access Controls - § 164.312(a)

Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should be put in place that enables authorized users to access the minimum necessary information needed to perform job functions.

The access granted to authorized users based on must be based on the set of documented set of access rules that were defined in the Information Access part of the Administrative Safeguards (§ 164.308(a)(4)).

Unique User Identification - § 164.312(a)(2)(i)

It is often easy to assign a generic username for everyone to use on systems in the practice. Good cybersecurity mandates that every user is issued unique user identification credentials. This allows for proper tracking of system use as well as provides a proper mechanism to limit access to the least privileges necessary to complete their duties.

Emergency Access Procedure - § 164.312(a)(2)(ii)

At some point there will always be a need to have administrative access to system and the administrator is unavailable for any number of reasons. In preparation for this event a mechanism must be put in place to allow for that access while simultaneously ensuring that the privilege is not misused.

Automatic Logoff - § 164.312(a)(2)(iii)

All systems in the practice must have some type of mechanism in place to automatically logoff or lock systems when they are unattended.

Encryption And Decryption - § 164.312(a)(2)(iv)

All ePHI information must remain encrypted. This encryption must be enforced both at rest and in transit. Most modern electronic health records and practice management systems will take care of this; however it must be verified with each application in the practice.

Audit Controls - § 164.312(b)

From the regulation:

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Audit mechanisms are a critical part of cyber defense. All modern operating systems make use of audit logs and record activity going on within the system. When these audit logs are read and analyzed in near real-time, they can identify system intrusions and malware; allowing administrators to stop things before they get out of control.

Integrity - § 164.312(c)(1)

Mechanism To Authenticate Electronic Protected Health Information - § 164.312(c)(2)

From the regulation:

“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

The integrity of ePHI is of utmost importance. Without it the value of the patient record is nothing. There are many mechanisms for providing data integrity for PHI on systems. Many times that mechanism will be driven by the actual applications using and manipulating that data, so practitioners must understand and consult with Electronic Health Record and Practice Management system vendors to properly document and operate controls to provide that integrity.

Person or Entity Authentication § 164.312(d)

From the regulation:

““Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

All systems that access ePHI must have an authentication system to verify the requestor is who they claim to be. Identity and access management has become an entire industry and there are now many tools that can provide this verification service; however all of them boil down to three things:

  • What someone knows: Passwords and PIN codes
  • What someone has: Tokens, Smartphones, and USB dongles
  • What someone is: Biometrics such as facial recognition, fingerprint biometrics, and iris patterns.

The best identity systems will incorporate more than one method.

There is no specific implementation method specified in the regulation, so this must be applied as a control against the risk profile of the practice.

Transmission Security § 164.312(e)(1)

From the regulation:

“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

Integrity Controls - § 164.312(e)(2)(i)

“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

Encryption - § 164.312(e)(2)(ii)

“Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

These two implementations of transmission security tend to go hand-in-hand. Internet technologies developed to secure commercial transactions provide both integrity and encryption as well as other safeguards.

The key again is to examine the applications that will be transporting ePHI and dig into the transport mechanisms. This will drive how to approach this requirement.