Many healthcare data breaches are reported each year that involve unauthorized individuals gaining access to electronic protected health information (ePHI) stored on unsecured servers, including on-premises servers and those of cloud service providers. Without proper authentication and access controls, ePHI is exposed and can be accessed by anyone who knows where to look. In some cases, search engines find the exposed data and include the resources in their listings, making ePHI much easier to find.
There are two standards in the HIPAA Security Rule that, if implemented correctly, will reduce the risk of these data breaches. They are Information Access Management and Access Control and can be found in the administrative and technical safeguards of the HIPAA Security Rule. The importance of compliance with both standards has recently been highlighted by the Department of Health and Human Services’ Office for Civil Rights in its Summer 2021 Cybersecurity Newsletter.
Information Access Management
Information access management is in the administrative safeguards and requires covered entities and business associates to “implement policies and procedures for authorizing access to [ePHI] that are consistent with the applicable requirements of [the HIPAA Privacy Rule].”
The two implementation specifications relating to HIPAA covered entities and business associates are Access Authorization (see 45 CFR 164.308(a)(4)(ii)(B)) and Access Establishment and Modification (see 45 CFR 164.308(a)(4)(ii)(C)). Both are addressable implementation specifications which means they must be implemented unless an alternative method of achieving their aims is implemented in their place that provides an equivalent level of protection. In such cases, the decision to use an alternative method to achieve its purpose and the reason why must be documented.
Access Authorization requires policies and procedures to be developed and implemented for granting access to ePHI within an organization. Those policies and procedures must cover how access to each system containing ePHI is requested, authorized, granted, and modified. It is common for authorization policies to cover individuals in different workforce roles that grant access to the specific systems and data necessary to allow them to complete their job duties.
Access Establishment and Modification concerns the procedural aspects of establishing, documenting, reviewing, and modifying access to workstations, processes, and applications. Policies and procedures are required for each of these elements including normal and emergency situations to ensure that access to ePHI or systems that contain ePHI continues to be appropriate for an individual’s role.
Access Control is in the technical safeguards of the HIPAA Security Rule and requires covered entities and business associates to “implement access controls for electronic information systems to allow access to ePHI only to those approved in accordance with the organization’s Information Access Management process.”
The Security Rule does not specify which access controls are required to remain technology agnostic. OCR says these controls include “role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate.”
While computer controls are commonly used, other methods are also acceptable such as firewalls, network segmentation, and network access control (NAC) solutions, if they effectively restrict access to ePHI. Access controls will limit the ability of a hacker to gain access to PHI as well as limit access to systems containing ePHI if the network perimeter is breached.
There are four implementation specifications, two of which are required and two are addressable (See 45 CFR 164.312(a)):
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
It must be possible to determine which users are accessing ePHI for effective logging and monitoring. Without unique user IDs it will not be possible easily link interactions with ePHI to a specific individual. This applies to investigations of unauthorized access by employees (snooping) and when credentials have been compromised.
Emergency access procedures are required to cover times when normal procedures cannot be followed to ensure access to ePHI can still be controlled. For example, these procedures are required for controlling access when workers need to access ePHI remotely, such as during the pandemic to conduct telehealth visits from home.
It may not be possible to logoff from a system manually, such as in an emergency situation when a patient in critical arrives in the ER. Automatic logoff ensures access to ePHI is prevented after a set period of inactivity to reduce the risk of unauthorized access.
Encryption of data is important for preventing unauthorized access, especially for portable electronic devices that store or can be used to access ePHI. Encryption will also prevent hackers from gaining access to sensitive data. In the event of a breach of encrypted data, the safe harbor provision of the Breach Notification Rule applies and breach notifications are not required.
Covered entities and business associates that are fully compliant with these standards of the HIPAA Security Rule will be in a better position to ensure the confidentiality, integrity, and availability of ePHI and will greatly reduce the risk of data breaches and resultant penalties for noncompliance.
“The rise in data breaches due to hacking as well as threats to ePHI by malicious insiders highlight the importance of establishing and implementing appropriate policies and procedures regarding these Security Rule requirements,” explained OCR in its cybersecurity newsletter. “Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats.”