HIPAA Compliance

Dissecting the Security Rules

HIPAA's security rules aim to be comprehensive, address all aspects of security and scale for large and small entities, but the rules are not linked to specific technologies. Instead, generic guidelines allow for new technologies to satisfy the rules. Generally, multiple solutions are required for the variety of rules that set standards and implement specifications.

HIPAA security rules cover three areas: administrative, physical and technical safeguards. Administrative policies and procedures are the most vital and affect the physical and technical safeguards. Admin safeguards could include security-awareness training for staff, procedures for reporting and responding to security incidents and developing contingency plans for disaster recovery.

Technical Compliance

HIPAA's technical safeguards require standards for audit controls and authentication schemes. Entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems containing PHI. Information systems are defined as interconnected resources--including hardware, software, information, data, applications, communications and people--that share a common functionality and come under the same management authority.

For technical compliance in the audit arena, check out products such as Bindview Policy Operations Center or Novell Nsure Audit that can supply audit trails as well as data-integrity controls and a clear view of system activity. If you have mobile and wireless users, look into DataMirror LiveAudit.

The identity of a person or entity seeking access to electronic PHI must be verified. To meet this requirement, multiuser operating systems--Linux, Windows and Unix--can be set with user and group assignments. In a larger environment, directories--Active Directory, Novell's eDirectory, Sun's Java System Directory Server and other LDAP-based directories--can be used.

HIPAA's technical safeguard rules contain more detailed requirements, including standards for access control, data integrity and transmission security. Each of these standards has implementation specifications that are required or addressable (see "Security Standards for Technical Safeguards,").

Required specifications include the standard for access control, which is defined as a procedure to limit access to PHI only to those persons or software programs that have been granted specific access rights. The specs that satisfy this rule include a mechanism to assign unique IDs (user names or numbers) for every user and a procedure to access the data in the event of an emergency.Implementing a directory schema from Microsoft, Novell or Sun with redundancy and failover can ensure access in an emergency. More specific solutions, such as BNX's Authenticated Sign-On and Siemens' Hipath DirX Compact for Healthcare, for example, may more closely meet your needs. BNX's tools manages the sign-on or authentication scheme to systems and applications; Siemens' product provides identity management that integrates with business processes and enables authentication for applications and services.

Other implementation specifications for access control include an automatic logoff procedure to terminate an electronic session after a predetermined time of inactivity and encryption/decryption functions.

These addressable implementation specifications give entities flexibility in complying with the security standard. Organizations must decide for themselves whether an addressable implementation is a "reasonable" and "appropriate" measure within its security framework. This requires a risk analysis for PHI, which each entity must conduct to ensure the confidentiality, integrity and availability of electronic PHI.

In addition, the organization must reduce risks and vulnerabilities. To get a handle on risk management, see the National Institute of Standards and Technology's "Risk Management Guide for Information Technology Systems" (csrc.nist.gov/publications/nistpubs/ 800-30/sp800-30.pdf) or the Computer Science and Telecommunications Board's "For the Record: Protecting Electronic Health Information" (1997).After risk assessment, if a reasonable and appropriate addressable implementation specification is available, the entity must implement it; if implementation is determined to be unreasonable and/or inappropriate, documentation is required to back this up. The entity may then implement an alternative measure that accomplishes the same end as the addressable specification or decline to implement any solution.

The standard to protect data integrity contains only one addressable implementation specification, designed to protect PHI from improper alteration or destruction. Products that satisfy this requirement will "corroborate" that electronic PHI has not been altered or destroyed in an unauthorized manner. For starters, make sure your environment includes antivirus software from Symantec, McAfee or Fortinet, but be aware that full compliance requires electronic or paper copies of the data.

Transmission security protects against unauthorized access to electronic PHI transmitted over a communications network. A variety of products, such as those from Airespace, Check Point Software Technologies and RSA Security, can help you meet this requirement. Note that the implementation specifications to meet this safeguard are both addressable--do them only if you find it reasonable and appropriate. Look for products that apply integrity controls to ensure that PHI is not improperly modified without detection throughout its life cycle until proper disposal, such as as document-management systems from Hummingbird Enterprise and Stellent Universal Content Management System. Also consider encryption tools that transform data into a form that has a low probability of being altered by a third party.

• "Feds Reach Out and Touch IT,"

• HIPAA Advisory, www.hipaadvisory.com• HIPAA.ORG, www.hipaa.org/

• HHS on HIPAA, aspe.os.dhhs.gov/admnsimp/index.shtml

• HHS Office of Civil Rights, www.hhs.gov/ocr/hipaa/

• Code of Federal Regulations, cfr.law.cornell.edu/cfr/ (Search Title 45 Section 164)

Interactive Buyer's Guide Charts to HIPAA-PHI products Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. Write to him at [email protected].