HIPAA Security Rule (6.22.05)
What is the HIPAA Security Rule?
The Health Insurance Portability and Accountability Act
(HIPAA) mandated the creation and implementation of the
Privacy Rule and the Security Rule. These Rules are separate
but related. The Privacy Rule went into effect in April
2003 and addresses privacy protections of protected health
information (PHI). The Security went into effect April
2005 and addresses specific safeguards for electronic
PHI.
To what information/data does the HIPAA Security
Rule apply?
The HIPAA Security Rule can be viewed as an extension
of the HIPAA Privacy rule. The security rule mandates
that we secure and protect patient privacy as it relates
to all forms of electronic protected health information
(ePHI).
The following 18 identifiable elements define what constitutes
Protected Health Information (PHI) electronic or not:
- Names;
- All
elements of dates (except year) for dates directly related
to an individual, including:
birth date
admission
date
date
of procedure
discharge
date
date
of death
- Telephone
numbers;
-
Fax numbers;
-
Electronic mail addresses;
- Social
security numbers;
-
Medical record numbers;
-
Health plan beneficiary numbers;
-
Account numbers;
-
Certificate/license numbers;
-
Vehicle identifiers and serial numbers, including license
plate numbers;
-
Device identifiers and serial numbers;
- Web
Universal Resource Locators (URLs);
-
Internet Protocol (IP) address numbers;
-
Biometric identifiers, including finger and voice prints;
-
Full face photographic images and any comparable images;
-
All geographic subdivisions smaller than a State, including:
street
address
city
county
precinct
zip
code, and their equivalent geocodes
-
Any other unique identifying number, characteristic
or code (e.g., pathology accession numbers, etc.)
What
are the standards for compliance with the HIPAA Security
Rule?
The
standards for protecting ePHI are divided into three categories:
Administrative, Physical, and Technical and require that
policies and procedures on all three are clearly documented,
regularly reviewed, and periodically updated. The level
of risk (low, intermediate, high) as determined by your
assessment for each system will help determine which controls
from each of the three categories you employ.
Administrative
standards:
Include
but are not limited to completing a risk assessment, setting
policies, procedures and training on controlling access
to and protecting ePHI, conducting periodic security audits,
completing Business Associate Agreements in situations
where ePHI will be shared outside the Partners Network,
and appointing an office/lab security officer to monitor
standards.
Physical
standards:
Include
but are not limited to setting controls on physical access
to buildings, offices, labs and devices that house ePHI,
setting policies on transfer and back-up of ePHI and the
secure disposal of devices that housed ePHI (e.g., hard
drives), and developing a system to document the maintenance
of computer systems, facility locks, and data closets.
Technical standards:
Include
but are not limited to securing the network, servers,
desktop computers, laptops, portable devices (e.g. Palm
Pilot), and removable media (e.g. diskettes, CD’s, thumbdrives),
securing electronic transfer of data (e.g. email, PGP,
SFTP), setting automatic logoff for devices, assigning
unique usernames and passwords for each user, and automatic
auditing and logging of system access.
For
more detailed information on the Administrative, Physical
and Technical standards, go HERE.
(download in .pdf format)
What
are some immediate steps you can take to secure ePHI?
Here
are some suggestions to get started. For more detailed
information on how to comply with the Administrative,
Physical, and Technical standards, go HERE.
(download in .pdf format)
1. Avoid a shared folder environment on your server where
all folders are open to all users. Manage permissions
using local users and groups and assure that all users
have their own secure usernames and passwords.
2. When you view data through a web browser, some of that
data will remain on your hard drive in a temporary folder.
Clear your web browser temporary files after accessing
data via a web application. Learn how HERE.
3.
Follow good password practices:
a.
Password protect all devices: servers, desktops, portables,
removable media (e.g. thumbdrive)
b.
Create secure passwords: 6-8 characters with at least
one capital letter and one digit.
c. Protect your passwords. Don’t share them or post
them next to the machines to which they belong.
d.
Use a unique password for each machine and for each
user.
4.
For non-Partners build servers, desktops, and laptops:
a.
Secure new devices before connecting to the Network
by applying all security patches and installing anti-virus
software. Do the same to keep existing desktops, laptops,
and servers secure. Visit Partners Research Computing
website HERE
for PC information and HERE
for Mac information, or call the Help Desk and request
that a tech stop by to assist you.
b.
Request Partners Information Security to do a vulnerability
scan on your servers; this is quick, free and will identify
potential security risks and how to mitigate them.
c.
Install anti-virus software, set it for auto-update
and for scheduled scans. Visit Partners Research Computing
website HERE
for information.
d.
Install and run anti-spyware software regularly as you
would anti-virus software. Visit Partners Research Computing
website HERE
for information.
e.
Non-Partners build PC’s and Macs do not have the built-in
screensaver timeout feature that Partners PC’s have.
Always logout and clear the browser cache before walking
away from a non-Partners build PC or Mac after viewing
ePHI. Configure a password enabled screensaver on non-Partners
build PC’s and Macs that host or are used to view ePHI;
this may not be possible in all instances. For directions
on how to configure a password enabled screensaver for
the Mac, go HERE.. For a
PCs, go HERE (PHS internal only links).
5.
For E-mail guidelines see the Partners policy 'Safeguarding Electronic Communications'
(this includes information on fax, e-mail, pagers,
etc.) (PHS internal only link).
6. Securely dispose of all devices that housed ePHI (PC’s,
Macs, servers, hard drives, other removable media). For more information see the webpage 'Computer Disposal' (PHS internal only link)
|