Passed by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was designed to help the continuation and transfer of health coverage for American workers should they lose or change jobs. The Act also sets standards for reducing health care fraud and abuse as well as protecting confidential protected health information (PHI). As healthcare records have become digitized, any business that handles PHI need to have specific protocols in place in regards to their IT environments. For technology specifically there are many aspects that need to be in compliance such as Access Control, Transmission, Encryption, and Audit Controls.
While the Department of Health and Human Services has a plethora of information regarding IT compliance for HIPAA, there is a lot of intricate information to dissect. We are going to break these items down to make it easier to ensure your IT is in compliance with HIPAA regulations.
Here we provide an overview of Access Control regulations for IT networks hosting or transmitting protected health information:
The Security Rule defines access in § 164.304 as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.(This definition applies to “access” as used in this subpart, not as used in subpart E of this part[the HIPAA Privacy Rule]).”
To ensure proper Access Control – IT Administrators need to ensure that the following are in place.
1. Unique User Identification – assigning a unique name and/or number for identifying and tracking user identity. This means that every staff member who has access to a network with PHI is assigned his or her unique user identification ad well as a unique password that isn’t shared with others. This is done to keep users accountable for functions performed on information systems with electronic protected health information (EPHI).
2. Emergency Access Procedure – similar to a business continuity plan, employees need to be instructed on the process to gain access to systems with EPHI should the system be compromised such as due to a power outage or a physical server failure. As EPHI needs to be available at all times, employees need to know what to do should an operational failure occur.
3. Automatic Logoff – in more recent years, software applications include automatic logoff as a default setting. With automatic logoff, users are signed out of the application out of a set amount of time of inactivity. While it is best practice for users to logoff systems they are working on, there are certain occasions where a user has to leave his or her workstation unexpectedly or will forget to log out. Automatic logoff ensures that the user is securely logged out, reducing the risk of having another person access the system under his or her credentials.
4. Encryption and Decryption – with encryption and decryption in place, regular text is turned into encoded text that cannot be accessed without the proper decryption (translation) device to convert the protected encoded text back into regular text for access to the information. Many content and document management systems have encryption options, but IT teams need to make sure that all portions of the network hosting EPHI have some form of encryption to securely store and transmit electronic protected health information.