Since its enactment by the US Congress in 1996, and signed by President Clinton, HIPAA (Health Insurance Portability and Accountability Act of 1996) has worked hard to maintain access control to confidential information. Under their security rule, all covered entities are required to implement effective information system access controls as an active portion of their technical safeguards. In all, these safeguards work as a complementary barrier using facility access controls.
The federal government has long recognized that technical safeguards must be in place due to the advancements in Internet activity concerning the healthcare industry. As innovations in technology continue to improve, many new security challenges have risen. This has placed healthcare organizations at the forefront in protecting electronic protected health information (ePHI), including health records, from numerous external and internal attacks. As a way to circumvent any risks involving ePHI, all approved and covered entities are required to implement technical safeguards following the standards that have been set in place.
Out of concern for access controls, many technical procedures and policies have been developed to maintain ePHI. By law, legal access is only granted to certain individuals as is specified in the IAM (Information Access Management) standards.
Four Implementation Specifications
In all, the HIPAA standard for access control is based on four implementation specifications. Within the four, two of them are required, and two are addressable. They include:
- A Unique User Identification (Required)
- Emergency Access Procedures (Required)
- Encryption and Decryption (Addressable)
- An Automatic Logoff (Addressable)
User ID and Emergency Procedures
Both the user identification and the emergency access procedures are mandatory in the system. Each individual must be assigned a unique number and/or name that can be used to track their identity. As permitted under the rule, individuals that have appropriate access control must use their unique user identification. An emergency access procedure can be implemented as necessary with the intent of obtaining all the necessary electronic protected health information during the time of an emergency.
Encryption/Decryption and Logoff
The two addressable features include encryption/decryption and an automatic logoff. Under strict guidelines, there are rules for full implementation of all the necessary mechanisms required to encrypt and decrypt all ePHI. Through encryption/decryption procedures, the system follows guidelines to terminate an electronic session after a specific, pre-determined amount of online inactivity.
Security Rule Telecommuting Requirements
As according to the U.S. Department of Health and Human Services, any individual working from a home-based office, or telecommuting, is required to follow all access control procedures including automatic logoff.
All covered entities that provide telecommuting options for their employees that include working out of any home-based office must follow standard procedures. Any employee using electronic protected health information is required to implement all the appropriate safeguards that are necessary to protect the data of the individual and the organization.
The automatic logoff implementation specification must be maintained and addressed. Should the employee, after an assessment, be inactive at their station, the entity must implement the appropriate safeguard and log them off of their environment.
Following the Standards
Every covered entity must consider whether they are following the standards or not. They need to ensure that every member of their workforce has been given a unique user identifier, and comprehends the current format that is being used to implement their identification. Additionally, the unique user identifier must be able to track all user activity within the organization’s information system at every level that contains electronic protected health information.
The United States government understands that under emergency conditions, normal operation circumstances might not be possible. In those times, any covered entity is required to evaluate the situation and follow established protocol in dealing with ePHI. The procedures might include details on individuals that might be able to gain access to the files during any emergency event. Those individuals must be fluent in the procedures and policies that have been set in place to activate access to electronic protected health information during emergency situations.
The Ultimate Control
Through HIPAA predetermined protocols, organizations that encrypt and decrypt files can easily prevent access by individuals or software programs that do not have full access rights. Each organizationally covered entity is required to provide appropriate and reasonable implementations of encryption/decryption mechanisms to ensure the prevention of wrongful access to electronic protected health information by any software program or persons that do not have full granted access rights.
The United States government, under HIPAA law, requires every covered entity to follow mandated audit control standards. They require that every covered entity must “implement hardware, software, and/or procedural mechanisms that record examined activity in information systems that contain or use electronic protected health information.”
All the technical safeguards are put in place to protect the controlled access of electronic protected health information. Through successful implementation of these procedures, organizations can ensure the protection of the integrity, availability, and confidentiality of all electronically protected health information.