Section 1
HIPAA Privacy Rule and Security Rule
The Privacy Rule applies to protected health information (PHI) or health information that can help identify an individual, created or received by covered entities (CE), which include health plans, clearinghouses, Medicare prescription drug sponsors, and health care providers who electronically transmit information. However, the employees of these covered entities are excluded from this while the business associates of these covered entities are subject to some provisions of the rule. The use and disclosure of PHI by the covered entities requires written authorization by the individual as it is governed by the Privacy Rule unless it is for treatment or payment. The two exceptions to this rule are when the individual asks for an accounting of PHI disclosures and when disclosing information to HHS for compliance audit or enforcement.
The Security Rule states that the CEs have to maintain reasonable and appropriate physical, technological, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (EPHI) against any security threats and hazards as well as against any unauthorized disclosure and use of such information and is applicable to PHI in the electronic form. The Security Rule requires the CEs to ensure that its business associates, their contractors, and subcontractors, who create, receive, maintain, or transmit the EPHI, also implement these controls to protect the confidentiality, integrity, and availability of the CEs electronic data by entering into agreements. The contracts must authorize the CE to be able to terminate the services if they are found in violation of these material terms and the CE is not liable for those violations unless corrective action was not taken even after knowing about the violations.
Types of Incidents and Breaches
Based on the cases, the incidents included
Violation of minimum necessary requirements for communicating confidential PHI
Use and disclosure of information without written authorization from the patient by CEs and business associates
Not sending notices of privacy practices to the patient
Lack of policies to safeguard PHI
Not providing the patient access to his or her full medical record
Disregarding patient’s request for confidential communication
Requiring the patient to sign an agreement to not go public about the physician, his expertise, and other details
Technical and Non-technical controls
The appropriate controls to ensure that the breaches and violations such as above do not occur can be technical, physical, and administrative. The technical controls include access control, audit controls, integrity, authentication, and transmission security. Access control requires unique user identification, emergency access procedure, automatic logoff, and encryption and decryption. Audit controls such as logbooks, the integrity of EPHI using measures such as checksum verification, entity or person authentication using controls such as PIN, smart cards, fingerprints, and so on. Transmission security is ensured by using integrity controls and encryption. Administrative safeguards include security incident procedures, contingency plans, risk analysis and assessments, sanction policy, activity review for an information system, workforce termination procedures, and so on. Physical controls include facility access controls, workstation use and security, and device and media control.
Recommended Network Architecture for HIPAA Compliance
The most critical hardware devices to be used in a Network are Routers, Firewalls, VPN, Web servers, Mail servers, and wireless access points. Routers are the first layer of defense against intrusion as it allows or denies traffic based on certain parameters and hence it should be placed outside the border or perimeter. Since Firewalls are the second layer of defense as they provide ingress and egress filters thereby filtering traffic, they should be placed after the routers and outside the perimeter or border. The VPN is used by remote users for connecting to the network and while there are no specific configurations for VPNs to be HIPAA compliant, it is best to follow industry best practices. The mail and web servers have to be updated constantly with the latest patches, antiviruses should be updated and kept current, and other best practices should be followed. The mail servers should use public key encryption such as PGP (Pretty Good Privacy), password-based security, and similar best practices. For wireless networks, the access points should not have default passwords and SSIDs and WPA2 with AES encryption should be used apart from the industry best practices. Figure 1 shows a possible HIPAA compliant network architecture diagram.
HIPAA compliance for Hospitals vs. others
Hospitals come under the covered entities category and hence are subject to those same rules. As a CE, the entirety of the HIPAA privacy rule is applicable for it. However, if the hospital is part of an academic medical centre of a university, then it has an option to declare itself as a hybrid entity by designating the hospital as a health care component failing which the university and the hospital are both considered as CE and the entire privacy rule is applied. In both cases, the hospital is subjected to the entirety of the privacy rule while the rest of the entity can be disregarded based on whether it has been declared as a health care component or not.
List of Audit Steps to be covered in IT Audit Plan
The phase 1 audit consisted of an initial study, identification of covered entities, development of audit protocol, conducting the audits, and an evaluation of the program. For the Phase 2 audit, the OCR (Office of Civil Rights) issues a contact letter followed by pre-audit questionnaire, the selected auditees are required to submit the documentation electronically within 10 days, desk audits are completed, and some of these entities may be selected for onsite audit followed by investigation in case of serious breach. The steps required by an audit plan for the HIPAA audit are developing of privacy policies, appointing privacy officers, risk assessments being conducted regularly, adopting email and mobile devices policies, training, notice of privacy practices, entering into valid agreements with business associates, adopting potential breach protocols, and implementing privacy policies.
Section 2
HIPAA Compliant Network Architecture Diagram
Figure 1: A possible HIPAA Compliant Network Architecture Diagram
Source:
References
Grenert, R. H. (2003). HIPAA compliant configuration guidelines for information security in a medical center environment. St. Louis, MO: SANS Infosec Institute.
HSS and NIH. (2016, August 12). To whom does the privacy rule apply and whom will It affect? Retrieved from privacyruleandresearch.nih.gov: https://privacyruleandresearch.nih.gov/pr_06.asp
Infosec Institute. (2012, January 20). Application security, management, compliance & auditing. Retrieved from infosecinstitute.com: http://resources.infosecinstitute.com/risk-management-chapter-2/
Stevens, G. M. (2008). CSR report for Congress: Enforcement of HIPAA privacy and security rules. Washington, D.C.: Government Printing Press.
Vaidya, A. (2013, March 20). 10 steps for ensuring HIPAA compliance. Retrieved from beckershospitalreview.com: http://www.beckershospitalreview.com/legal-regulatory-issues/10-steps-for-ensuring-hipaa-compliance.html
