What is the Health Insurance Portability and Accountability Act (HIPAA Privacy Rule)
The Health Insurance Portability and Accountability Act (HIPAA) and the HITECH1Act address the security and privacy of electronic protected health information (ePHI) and security concerns associated with the electronic transmission of health information. Compliance with the technical safeguard standard requires implementation of technical policies and controls over systems that maintain ePHI, allowing access only to those persons or software programs that have been granted access rights.
HIPAA Privacy Rule Auditing Requirements
The HIPAA privacy rule requires covered entities to audit all access to ePHI. This includes read-only access (SELECT), data changes (DML) and privileged activity such as changes to data structures (DDL) and changes to user access rights (DCL). The audit records must identify the end-user and application used, and provide additional details to support data breach investigations.
ePHI Confidentiality, Integrity and Security
Vulnerable web portals can expose ePHI web application attacks, including SQL injection and cross-site scripting (XSS) and should be protected by a web application firewall (WAF). Suspicious access to ePHI stored in files and databases should be alerted to or blocked. Database response monitoring is recommended for the identification and prevention of data leakage.
Limiting User Access to ePHI
HIPAA certification requires covered entities to restrict user access to ePHI based on need to know and tightly control user access rights. Centralized user rights management will automate reporting on user access rights, support review and approval processes, identify users with excessive rights and reduce costs associated with access control management.
Managing Vulnerabilities, Reducing the Risk of a Data Breach
Vulnerability assessments identify and evaluate ePHI leakage risks across web portals, databases and file systems. Virtual patching provides immediate protection and significantly reduces the risk of a data breach. It also enables development teams and administrators to develop and thoroughly test appropriate patches.
Streamlining Compliance with the HIPAA Privacy Rule
Effective implementation of access controls and audit processes requires making them repeatable. Centralized management of audit and assessment of heterogeneous systems simplifies the management of these processes. Automation reduces the amount of resources required to maintain HIPAA certification and provides a positive return on investment.
1HITECH Act: Health Information Technology for Economic and Clinical Health Act was enacted as part of the American Recovery and Reinvestment Act of 2009