Understanding Technical Safeguards for Protecting Electronic Health Records under HIPAA, Schemes and Mind Maps of Technology

Insights into the Technical Safeguards standards of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Covered entities are required to implement these safeguards to protect electronic protected health information (EPHI) from unauthorized access, alteration, or destruction. various technical security measures, such as access controls, encryption, and audit controls, and provides sample questions for covered entities to consider when implementing these safeguards.

Typology: Schemes and Mind Maps

2021/2022

Uploaded on 09/27/2022

kaijiang
kaijiang 🇺🇸

4.5

(8)

280 documents

1 / 17

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Volume 2 / Paper 4 1 May 2005
HIPA
A
Security
SERIES
What is the Security Series?
Compliance Deadlines
No later than April 20, 2005 for
all covered entities except small
health plans, which have until
no later than April 20, 2006.
The security series of papers will provide guidance from the Centers for
Medicare & Medicaid Services (CMS) on the rule titled “Security Standards
for the Protection of Electronic Protected Health Information,” found at 45
CFR Part 160 and Part 164, Subparts A and C, commonly known as the
Security Rule. The Security Rule was adopted to implement provisions of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA). The
series will contain seven papers, each focused on a specific topic related to
the Security Rule. The papers, which cover the topics listed to the left,
designed to give HIPAA covered entities
insight into the Security Rule, and
assistance with implementation of the
security standards. This series explains
specific requirements, the thought process
behind those requirements, and possible
ways to address the provisions.
NOTE: To download the first
paper in this series, “Security
101 for Covered Entities,” visit
the CMS website at:
www.cms.hhs.gov/hipaa/hipaa2.
are
er has
ule.
to
faced
al
hnical
safeguards. Implementation of the Technical Safeguards standards
CMS recommends that covered entities read the first paper in this series,
“Security 101 for Covered Entities” before reading the other papers. The
first paper clarifies important Security Rule concepts that will help covered
entities as they plan for implementation. This fourth paper in the series is
devoted to the standards for Technical
Safeguards and their implementation
specifications and assumes the read
a basic understanding of the Security
R
Background
Technical safeguards are becoming increasingly more important due
technology advancements in the health care industry. As technology
improves, new security challenges emerge. Healthcare organizations are
with the challenge of protecting electronic protected health information
(EPHI), such as electronic health records, from various internal and extern
risks. To reduce risks to EPHI, covered entities must implement tec
Security
Topics
1.
Security 101 for
Covered Entities
2.
Security Standards
- Administrative
Safeguards
3.
Security Standards
- Physical
Safeguards
5.
Security Standards -
Organizational,
Policies and
Procedures, and
Documentation
Requirements
4.
Security
Standards
- Technical
Safeguards
4 Security Standards: Technical Safeguards
7.
Implementation for
the Small Provider
6.
Basics of Risk
Analysis and Risk
Management
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Understanding Technical Safeguards for Protecting Electronic Health Records under HIPAA and more Schemes and Mind Maps Technology in PDF only on Docsity!

HIPAA

Security

S E R I E S

What is the Security Series?

Compliance Deadlines No later than April 20, 2005 for all covered entities except small health plans, which have until no later than April 20, 2006.

The security series of papers will provide guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule titled “Security Standards for the Protection of Electronic Protected Health Information,” found at 45 CFR Part 160 and Part 164, Subparts A and C, commonly known as the Security Rule. The Security Rule was adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The series will contain seven papers, each focused on a specific topic related to the Security Rule. The papers, which cover the topics listed to the left, designed to give HIPAA covered entities insight into the Security Rule, and assistance with implementation of the security standards. This series explains specific requirements, the thought process behind those requirements, and possible ways to address the provisions.

NOTE: To download the first paper in this series, “Security 101 for Covered Entities,” visit the CMS website at: www.cms.hhs.gov/hipaa/hipaa.

are

er has

ule.

to

faced

al hnical safeguards. Implementation of the Technical Safeguards standards

CMS recommends that covered entities read the first paper in this series, “Security 101 for Covered Entities” before reading the other papers. The first paper clarifies important Security Rule concepts that will help covered entities as they plan for implementation. This fourth paper in the series is devoted to the standards for Technical Safeguards and their implementation specifications and assumes the read a basic understanding of the Security R

Background Technical safeguards are becoming increasingly more important due technology advancements in the health care industry. As technology improves, new security challenges emerge. Healthcare organizations are with the challenge of protecting electronic protected health information (EPHI), such as electronic health records, from various internal and extern risks. To reduce risks to EPHI, covered entities must implement tec

Security Topics

1. Security 101 for Covered Entities

2. Security Standards

- Administrative Safeguards

3. Security Standards

- Physical Safeguards

5. Security Standards - Organizational, Policies and Procedures, and Documentation Requirements

4. Security Standards

- Technical Safeguards

4 Security Standards: Technical Safeguards

7. Implementation for the Small Provider

6. Basics of Risk Analysis and Risk Management

represent good business practices for technology and associated technical policies and procedures within a covered entity. It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so.

HIPAA SECURITY STANDARDS

ADMINISTRATIVE SAFEGUARDS

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedures
  • Contingency Plan
  • Evaluation
  • Business Associate Contracts and Other Arrangements

Security Standards: General Rules

The objectives of this paper are to:

‰ Review each Technical Safeguards standard and implementation specification listed in the Security Rule.

‰ Discuss the purpose for each standard.

‰ Provide sample questions that covered entities may want to consider when implementing the Technical Safeguards.

Sample questions provided in this paper, and other HIPAA Security Series papers, are for consideration only and are not required for implementation. The purpose of the sample questions is to promote review of a covered entity’s environment in relation to the requirements of the Security Rule. The sample questions are not HHS interpretations of the requirements of the ecurity Rule.

PHYSICAL SAFEGUARDS

  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Controls

S

What are Technical Safeguards? The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic rotected health information and control access to it.”

TECHNICAL SAFEGUARDS

  • Access Control
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security

p

As outlined in previous papers in this series, the Security Rule is based on the fundamental concepts of flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified. The Rule allows a covered entity to use any security measures that allows it reasonably and appropriately to implement the standards and implementation specifications. A covered entity must determine which security measures and specific technologies are reasonable nd appropriate for implementation in its organization.

ORGANIZATIONAL REQUIREMENTS

  • Business Associate Contracts & Other Arrangements
  • Requirements for Group Health Plans POLICIES and^ a PROCEDURES and DOCUMENTATION REQUIREMENTS 45 CFR § 164.306(b), the Security Standards: General Rules, Flexibility of Approach, provides key guidance for focusing compliance decisions, including factors a covered entity must consider when selecting security

NOTE: For a discussion on “required“ and “addressable” Implementation Specificatio see the fir

ns, st paper in this series, “Security 101 for Covered Entities.”

llow se persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access

ds trols that re available within most information systems. The Security Rule does not identify a specific

/or

ch as dministrators or super users, must only have access to EPHI

our implementation specifications are associated with the Access Controls standard.

red)

3. Automatic Logoff (Addressable)

IQUE USER IDENTIFICATION (R) - § 164.312(a)(2)(i) he Un entity must:

er gged into an information system. It enables an entity to hold

orce and

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to a access only to tho

Management].”

A covered entity can comply with this standard through a combination of access control metho and technical controls. There are a variety of access control methods and technical con a type of access control method or technology to implement.

Regardless of the technology or information system used access controls should be appropriate for the role and function of the workforce member. For example, even workforce members responsible for monitoring and administering information systems with EPHI, su a as appropriate for their role and/or job function.

F

1. Unique User Identification (Requi

2. Emergency Access Procedure (Required)

4. Encryption and Decryption (Addressable)

T

. UN

ique User Identification implementation specification states that a covered

“Assign a unique name and/or number for identifying and tracking user identity.”

User identification is a way to identify a specific user of an information system, typically by name and/or number. A unique user identifier allows an entity to track specific us activity when that user is lo users accountable for functions performed on information systems with EPHI when logged into those systems.

The Rule does not describe or provide a single format for user identification. Covered entities must determine the best user identification strategy based on their workf

NOTE: Like many of the Technical Safeguards implementation specifica

ional practices for obtaining Access controls are necessary

tions, covered entities may already

ame

also

n must weigh these factors when making its decision. Regardless of the rmat, unlike email addresses, no one other than the user needs to remember the user entifier.

ample questions for covered entities to consider:

9 e user identification?

thin

2. EM

This im

erat ion.

l overed entities must determine the

orkforce members on possible ways to gain access to needed EPHI in, for example, a tuation in which normal environmental systems, such as electrical power, have been severely damaged or rendered inoperative due to a natural or manmade disaster.

operations. Some organizations may use the employee name or a variation of the n (e.g. jsmith). However, other organizations may choose an alternative such as assignment of a set of random numbers and characters. A randomly assigned user identifier is more difficult for an unauthorized user (e.g., a hacker) to guess, but may be more difficult for authorized users to remember and management to recognize. The organizatio fo id

S

9 Does each workforce member have a unique user identifier?

What is the current format used for uniqu

9 Can the unique user identifier be used to track user activity wi information systems that contain EPHI?

ERGENCY ACCESS PROCEDURE (R) - § 164.312(a)(2)(ii) p lementation specification requires a covered entity to:

have emergency access procedures in place.

types of situations that would require emergency access to an information system or application that contains EPHI.

rocedures must be established beforehand to instruct

“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”

These procedures are documented instructions and op access to necessary EPHI during an emergency situat under emergency conditions, although they may be very different from those used in normal operationa circumstances. C

P

w si

STANDARD

§ 164.312(b)

NOTE: The goal of encryption is to protect EPHI from being accessed and viewed by unauthorized users.

Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (i.e., type of procedure or formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (i.e., translate) the text and convert it into plain, comprehensible text.

There are many different encryption methods and technologies to protect data from being accessed and viewed by unauthorized users.

Sample questions for covered entities to consider: 9 Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?

9 te persons or software programs at have not been granted access rights?

s no plementation specifications. The Audit Controls standard requires a covered entity to:

systems that contain or use electronic protected health information.”

ining information system activity, specially when determining if a security violation occurred.

by

asonable and appropriate audit ontrols for information systems that contain or use EPHI.

What encryption and decryption mechanisms are reasonable and appropria to implement to prevent access to EPHI by th

A udit Controls

The next standard in the Technical Safeguards section is Audit Controls. This standard ha im

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information

Most information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and exam e

It is important to point out that the Security Rule does not identify data that must be gathered the audit controls or how often the audit reports should be reviewed. A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine re c

STANDARD

§ 164.312(c)( 1 )

NOTE: The integrity of EPH can be compromised by both

on.”

I

9 t rd and examine activity in information systems that contain or

I?

9 loped to comply with the required implementation specification at § 164.308(a)(1)(ii)(D) for Information System Activity Review?

t § 164.304, as “the property that data or information have not been altered or he integrity of EPHI is a primary goal of the

The Integrity s

tect electronic protected health structi

red ronic media errors or failures. The r protecting

here i

Sample questions for covered entities to consider: What audit control mechanisms are reasonable and appropriate to implemen so as to reco use EPHI?

9 What are the audit control capabilities of information systems with EPH

Do the audit controls implemented allow the organization to adhere to policy and procedures deve

Integrity

The next standard in the Technical Safeguards section is Integrity. Integrity is defined in the ecurity Rule, a

technical and non-technical sources.

“Implement policies and procedures to pro information from improper alteration or de

EPHI that is improperly altered or destroyed can result in clinical quality problems for a covered entity, including patient safety issues. The integrity of data can be compromised by both technical and non-technical sources. Workforce members or business associates may make accidental or intentional changes that improperly alter or destroy EPHI. Data can also be alte r destroyed without human intervention, such as by elect

S

destroyed in an unauthorized manner.” Protecting t Security Rule.

tandard requires a covered entity to:

o purpose of this standard is to establish and implement policies and procedures fo PHI from being compromised regardless of the source.

s one addressable implementation specification in the Integrity standard.

E

T

STANDARD

§ 164.312(e

‰ Require something that individuals possess, such as a smart card, a token, or a key.

)( 1 ) Transmission Security

ard listed in the Technical Safeguards section is

er

s granted the authorized access privileges to perform unctions and access EPHI. Although the password is the most common way to obtain uthentication entities may want to explore other a

9 hat types of authentication mechanisms are currently used?

9 type of authentication is reasonable and appropriate for each information system with EPHI?

A ble that may be reasonable and ap

The final stand Transmission Security. This andard requires a covered entity to:

rd, ed to transmit EPHI. For instance, is EPHI ansmitted through email, over the Internet, or via some form of private or point-to-point ed, the covered entity must identify the vailable and appropriate means to protect EPHI as it is transmitted, select appropriate solutions,

‰ Require something unique to the individual such as a biometric. Examples of biometrics include fingerprints, voice patterns, facial patterns or iris patterns.

Most covered entities use one of the first two methods of authentication. Many small provid offices rely on a password or PIN to authenticate the user. If the authentication credentials entered into an information system match those stored in that system, the user is authenticated. Once properly authenticated, the user i f a to an information system and the easiest to establish, covered ut enh tication methods.

Sample questions for covered entities to consider: W

What level or

9 re other authentication methods availa propriate?

st

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

In order to determine the technical security measures to implement to comply with this standa covered entities must review the current methods us tr network? Once the methods of transmission are review a

and document its decisions. The Security Rule allows for EPHI to be sent over an electronic open network as long as it is adequately protected.

This sta

le)

1. A) - § 164.312(e)(2)(i)

nically transmitted electronic protected health information is not improperly modified without

atio is cont e EPHI is not improperly modified during transmission

be the

same as the data received.

There are other secu integrit electron co message authentication codes, that a covered entity may want to consider.

Sample questions for covered entities to consider: urrently used to protect EPHI during ansmission?

narios that may result in modification to

ndard has two implementation specifications:

1. Integrity Controls (Addressab

Encryption (Addressable)

INTEGRITY CONTROLS (

Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:

“Implement security measures to ensure that electro

detection until disposed of.”

Protecting the integrity of EPHI maintained in inform previously in the Integrity standard. Integrity in th

n systems was discussed ext is focused on making sure .

ing transmitted is through

th

A primary method for protecting the integrity of EPHI use of network communications protocols. In general, these protocols, among other things, ensure that the data sent is the

NOTE: A covered entity should discuss reasonable and appropriate security measures to protect the integrity of EPHI mission with its IT , d tradin

rity measures that can provide y controls for EPHI being transmitted over an during trans professionals, vendors ic mmunications network, such as data or business associates, an g partners.

9 What security measures are c tr

9 Has the risk analysis identified sce EPHI by unauthorized sources during transmission?

Sample questions for covered entities to consider: 9 How does the organization transmit EPHI?

How often does the organization transmit EPHI?

ethods of encryption will be used to protect the transmission of

n Summary he Security Rule Technical Safeguards are the technology and related policies and procedures that protect EPHI and control access to it. The Technical Safeguards standards apply to all

9

9 Based on the risk analysis, is encryption needed to protect EPHI during transmission?

9 What m EPHI?

I T

EPHI. The Rule requires a covered entity to comply with the Technical Safeguards standards and provides the flexibility to covered entities to determine which technical security measures will be implemented.

Together with reasonable and appropriate Administrative and Physical Safeguards, successful implementation of the Technical Safeguards standards will help ensure that a covered entity will protect the confidentiality, integrity and availability of EPHI.

Resources The remaining papers in this series will address other specific topics related to the Security Rule. The next paper in this series covers the final sections of the Security Rule, Organizational Requirements and Policies and Procedures and Documentation Requirements.

Covered entities should periodically check the CMS website at http://www.cms.hhs.gov/hipaa/hipaa2 for additional information and resources as they work through the security implementation process. There are many other sources of information available on the Internet. While CMS does not endorse guidance provided by other organizations, covered entities may also want to check with other local and national professional health care organizations, such as national provider and health plan associations for additional information.

Need more information?

Visit the CMS website often at http://www.cms.hhs.gov/hipaa/hipaa2 for the latest security papers, checklists, webcasts, and announcements of upcoming events.

Call the CMS HIPAA Hotline at 1-866-282-0659, use the HIPAA TTY 877-326-1166, or email CMS at [email protected].

Visit the Office for Civil Rights website, http://www.hhs.gov/ocr/hipaa, for the latest guidance, FAQs and other information on the Privacy Rule.

PHYSICAL SAFEGUARDS

Standards Sections (^) (R)= Required, (A)=AddressableImplementation Specifications Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures

(A)

Facility Access Controls

§ 164.310(a)(1)

Maintenance Records (^) (A) Workstation Use § 164.310(b)

Workstation Security § 164.310(c)

Disposal (^) (R) Media Re-use (R) Accountability (A)

Device and Media Controls

§ 164.310(d)(1)

Data Backup and Storage (A)

TECHNICAL SAFEGUARDS

Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Unique User Identification (R) Emergency Access Procedure

(R)

Automatic Logoff (A)

Access Control § 164.312(a)(1)

Encryption and Decryption (A) Audit Controls § 164.312(b)

Integrity § 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information

(A)

Person or Entity Authentication

§ 164.312(d)

Transmission Integrity Controls (A) Security

§ 164.312(e)(1) Encryption (A) ORGANIZATIONAL REQUIREMENTS Standards Sections (^) (R)= Required, (A)=AddressableImplementation Specifications Business Associate Contracts

Business associate (R) contracts or other arrangements

§ 164.314(a)(1)

Other Arrangements (R) Requirements for Group Health Plans

§ 164.314(b)(1) Implementation Specifications

(R)

POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS

Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Policies and Procedures

§ 164.316(a)

Time Limit (^) (R) Availability (R)

Documentation § 164.316(b)(1)

Updates (R)