The HHS’ Office for Civil Rights has recently reminded HIPAA-covered entities and their business associates about the importance of carefully controlling access to electronic protected health information (ePHI).
In its 2021 Summer Cybersecurity Newsletter, OCR explained that 61% of healthcare data breaches were caused by external threat actors and 39% by insiders. Many of these healthcare data breaches involved hackers, workforce members, and the public gaining access to personal and healthcare data that has been left unprotected on servers. These data breaches could have been prevented if appropriate authorization policies and procedures and access controls had been implemented, as required by the HIPAA Security Rule.
There are two standards in the HIPAA Security Rule that cover information access management and access control. The former is detailed in the administrative safeguards and the latter in the technical safeguards of the HIPAA Security Rule, with each having several implementation specifications.
Some of these implementation specifications are required elements and must be implemented, while others are addressable implementation specifications. Addressable implementation specifications must also be implemented unless an alternative, appropriate measure is implemented in its place that provides an equivalent level of protection. In cases where an alternative is implemented, the decision behind that decision must be documented.
Security Rule Administrative Safeguards: Information Access Management
The Information Access Management standard calls for covered entities and business associates to “implement policies and procedures for authorizing access to [ePHI] that are consistent with the applicable requirements of [the HIPAA Privacy Rule].”
Two of the three implementation specifications generally apply to covered entities and business associates, with the third more appropriate for healthcare clearinghouses.
Access Authorization covers policies for granting access to ePHI within an organization, such as how access to each system containing ePHI is requested, authorized, granted, and rescinded, and who is responsible for processing the requests. Policies should be set for each workforce role and should be limited to only the systems and ePHI that is required for a user to perform their work duties, in line with the HIPAA Minimum Necessary Standard.
Access Establishment and Modification covers procedural aspects about how access is established, documented, reviewed, and modified. Policies and procedures should be developed and implemented to cover access to ePHI, including changes to access when job roles change and in emergency situations such as the COVID-19 pandemic when remote access may be required.
Security Rule Technical Safeguards: Access Control
The Access Control standard applies to all covered entities and business associates and requires access controls to be implemented in line with the organization’s Information Access Management process.
The HIPAA Security Rule lacks specifics in this area to ensure it remains flexible and scalable as technology changes. OCR suggests access controls can include user-based access, attribute-based access, or role-based access, or any other access control mechanisms that are determined to be appropriate. OCR suggests firewalls, network segmentation, and network access control (NAC) solutions can be used to control access, as well as computer controls.
If access controls are properly implemented, they can prevent hackers from accessing other systems once network access is gained, as well as limiting the potential for the network to be accessed in the first place.
There are four implementation specifications of Access Control which restrict access to authorized users and software programs:
Unique User Identification (Required)
Unique user identification is essential for systems containing ePHI to ensure that the interactions of individuals with ePHI can be tracked and traced. This is vital for data breach investigations, whether snooping on medical records or to identify which users are victims of phishing attacks.
Emergency Access Procedure (Required)
In certain situations, normal procedures for obtaining ePHI may not be available or may be severely limited. Policies and procedures must be developed for access to ePHI during emergencies to ensure access remains controlled, such as when employees are conducting telework remotely due to the pandemic for example.
Automatic Logoff (Addressable)
Automatic logoff ensures that access to ePHI is blocked automatically after a set period of time. In an emergency situation, there may not be time to logoff from a system. Without automatic logoff, the risk of unauthorized access and data destruction increases. Without automatic logoff it can be difficult to attribute any malicious actions to a specific individual.
Encryption and Decryption (Addressable)
Encryption reduces the risk of unauthorized access to data should a hacker gain access to the network or a portable device containing ePHI. Not only will encryption prevent unauthorized access, it will also allow the safe harbor provision of the Breach Notification Rule to be leveraged. Breaches of encrypted ePHI are not reportable data breaches and do not warrant breach notification letters.
“The rise in data breaches due to hacking as well as threats to ePHI by malicious insiders highlight the importance of establishing and implementing appropriate policies and procedures regarding these Security Rule requirements,” explained OCR. “Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats.”