The objectives of the HIPAA Technical Safeguards are to protect electronic PHI and control access to it. However, technology alone cannot achieve these objectives and it is necessary for covered entities and business associates to implement policies and procedures that support the objectives of the HIPAA Technical Safeguards.
The HIPAA Technical Safeguards can be found in §164.312 of the Security Rule. They consist of five standards relating to:
- Access Controls
- Audit Controls
- Integrity Controls
- Authentication Controls
- Transmission Security
The five standards are explained in more detail below with details of how they help achieve the objectives of the HIPAA Technical Safeguards and what covered entities and business associates need to consider when deploying technologies and implementing policies and procedures.
The access controls standard protects electronic PHI and access to it by requiring covered entities and business associates to implement policies and procedures that restrict access to systems and devices that maintain electronic PHI in compliance with the Information Access Management Standard of the Administrative Safeguards (§164.308(a)(4)).
This means the policies and procedures must only allow “appropriate access” to authorized members of the workforce and software systems that have been granted access rights. The policies and procedures must also prevent unauthorized members of the workforce and software system from accessing electronic PHI.
To ensure they meet the requirements of this standard, covered entities and business associates must comply with four implementation specifications:
- Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
- Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic PHI during an emergency.
- Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic PHI.
With regards to the two “Addressable” implementation specifications (and all further Addressable implementation specifications in the HIPAA Technical Safeguards), covered entities and business associates must implement the specifications unless an assessment identifies they are unreasonable and inappropriate for protecting electronic PHI.
If an assessment identifies that an implementation specification is unreasonable and inappropriate, covered entities must implement an equally effective measure or document why the implementation specification or an alternative measure is not necessary. With regards to the two addressable access controls, it is difficult to conceive of alternatives that would be equally effective as those listed in the standard.
The audit controls standard requires covered entities and business associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. The purpose of this control is to record who accessed systems containing electronic PHI and what they did while they were logged in.
Because HIPAA is technology neutral, the HIPAA Technical Safeguards do not explain how to comply with this standard. Therefore, it is possible for covered entities and business associates to comply with this standard by implementing mechanisms that record activity for review after an event has occurred – effectively retrospective protection of electronic PHI.
However, it is possible to deploy audit controls that automatically trigger alarms when a user strays from their permitted activities or when a specified event occurs (i.e., AWS CloudTrail or equivalent). The alarms can trigger security solutions that (for example) lock users out of a system or device before they are able to compromise the confidentiality, integrity, or availability of data.
Although automating audit controls increases the administrative overhead, it has the advantages of mitigating the likelihood of an unauthorized third party impermissibly accessing electronic PHI with an authorized user’s login credentials, a malicious insider deliberately compromising electronic PHI, or an authorized user making a genuine mistake that results in a breach of electronic PHI.
The integrity controls standard requires covered entities and business associates to implement policies and procedures to protect electronic PHI from improper alteration or destruction, yet has a sole addressable implementation specification requiring the implementation of mechanisms to corroborate data has not been altered or destroyed in an unauthorized manner.
If you reverse “policies and procedures” and “the implementation of mechanisms”, covered entities and business associates can comply with this standard by implementing access controls and audit controls configured to give authorized users read-only or least privilege access, and that flag anomalous alterations or deletions or allow/require alterations and deletions to be reviewed.
The authentications controls standard is very loosely worded inasmuch as it requires covered entities and business associates to implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed. Issuing each authorized user with a unique password or PIN (as required by the Access Controls above) would satisfy this requirement.
However, considering the extent of password sharing in healthcare, one has to question whether this is sufficient to adequately meet the objectives of protecting electronic PHI and controlling access to it. Therefore, covered entities and business associates may want to consider additional measures such as biometric login or multi-factor authentication for some accounts.
The transmission security standard is a good example of when it is difficult to find suitable alternatives to addressable implementation specifications, as the addressable implementation specifications for this standard require covered entities and business associates to implement integrity controls and encryption to ensure the confidentiality and integrity of electronic PHI in transit.
Therefore, unless electronic PHI is being transmitted within an enclosed network with no remote access available (which would make it difficult to comply with the Emergency Access Procedures above), covered entities and business associates are effectively required to implement robust integrity controls and encrypt electronic PHI in transit to comply with this standard.
Complying with the HIPAA Technical Safeguards
As mentioned above, HIPAA is technology neutral. Therefore, there is no help available from HHS’ Office for Civil Rights for covered entities or business entities finding it difficult to comply with the HIPAA Technical Standards. However, technology is evolving at a rapid pace and there are solutions available now that did not exist when the HIPAA Technical Safeguards were originally published.
Therefore, covered entities and business associates that are finding it difficult to comply with the HIPAA Technical Safeguards should speak with compliance experts that have experience in automation and compliance-as-code solutions. These solutions are becoming simpler to understand, deploy, and configure, and can help covered entities and business associates more easily comply with the Security Rule as a whole and support the objectives of the HIPAA Technical Safeguards.