President and CEO Chris Reddick and Vice-President of Sales and Marketing Ron Halversen discuss the importance of delineating who has authorization to access ePHI covered by HIPAA.

Part 6 of a 13-part series (Return to Part 5)

CHRIS: One of the things that you can do [is study] different scenarios. If you go to the general rules section of the offical HIPAA website and you sort of dig into that, they specifically say that covered entities must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. They must identify and protect against reasonably anticipated threats to the security or integrity of the information, protect against reasonably anticipated impermissible uses or disclosures, and then ensure compliance by their workforce. 
 
It defines confidentiality to mean that ePHI data is not available or disclosed to an unauthorized person. And it goes on to sort of talk about this. They define that integrity means that it is not altered or destroyed in an unauthorized manner, and availability means that it is accessible and usable on demand by an authorized person. 

what is hipaa

CHRIS: You're getting some core principles of HIPAA security here. You basically have this concept of authorization. What in the world is that? What does that mean? Think of it as a role. Somebody has a role or authorization to access something. Only when they have that role should they be able to access information.  

You can think of it as a bank vault. And although certain people work in the bank, not everyone has access to the inner bank vault. So some people might just have access to a teller station, others might be opening and closing the door. Some might be doing janitorial duties, whereas other folks literally can go into the heart of the bank, the vault itself. And so this is the same idea with authorization: Who has access and who doesn't? And this is something that you need to formally establish within your organization and adhere to. So this is part of the Security Rule with ePHI. 

Another thing is this whole concept of integrity. This is really important because there are a lot of electronic breaches, a lot of ransomware attacks that occur. Generally speaking, they're saying it should not be altered or destroyed. And this can happen whenever there's a HIPAA breach, the information can be altered. 
 
You think about it again, with the authorization, somebody could make changes to a record. If you don't have strict enforcement of authorization for access. To give a specific example, the caregivers who are providing for a specific patient should have access, but only for a certain amount of time during which they're providing care and possibly need access to follow up on that. Someone within the eCommerce healthcare organization or the covered entity should not be able to just search for someone randomly and get all of their ePHI information. That's sort of the antithesis of this.  

The other thing about the HIPAA Security Rule is it generally states that there—and if you read on in this general rule section, when a covered entity is deciding which security measures to use, the rule does not dictate those measures, but it requires the covered entity consider the following: size, complexity, and capabilities of the covered entity, the covered entities, technical hardware and software infrastructure, the cost of security measures, and the likelihood and possible impact of potential risk to ePHI.

what is hipaa

CHRIS: So again, this is saying you have to consider these things and you're going to want to document them and you're going to want to be at or above industry best practices for what's reasonable for your organization. And I'm not going to pretend to be a lawyer and try to interpret what this means for your organization. I can tell you, though, that, generally speaking, our objective, when we're working with clients, is to adopt industry HIPAA best practices and utilize those. And this really makes sense because of the way these rules are stated, to just go a little bit above and beyond, if not as much as you substantially can.  

If you're documenting that and memorializing it and focusing on these aspects, that we need to ensure the confidentiality, integrity and availability, protect against reasonably anticipated threats to your HIPAA compliant website (security issues or integrity issues with people accessing stuff they shouldn't be able to), protect against impermissible uses or disclosures and ensure compliance by the workforce. So if you have those principles and you're focusing on doing this within the context of what your organization can do and the potential risks to ePHI, you’re really getting at the heart of the Security Rule. 
 
Now, what are some of the mechanics of this? What do they really talk about as mechanical aspects? This gets into the risk analysis and management. So you've got to perform risk analysis and overall security management. They talk about how there should be a risk analysis process that at least includes the following: evaluating the likelihood and impact of potential risk to ePHI data, implementing appropriate security measures to address those risks identified. 
 
Again, you can use these free tools that are on the HHS official HIPAA website. They literally have multiple versions, one from NIST, one from HHS. And these are awesome tools. If you feel like, “Man, I'm lost, I don't feel comfortable doing this,” try downloading one of those tools and going through it. It literally has a step by step set of instructions. 
 
As Ron mentioned earlier, with Accountable HQ, we also have a video walking you through that step by step and do a simulated example going through this assessment. So please, please do not let yourself feel overwhelmed by this information. You can walk through this and get through this process. So you want to evaluate the likelihood and impact and then implement measures to address those risks that you identify, document the chosen security measures, and then maintain continuous and reasonably appropriate security protections. 
 
They're basically saying assess the risk, come up with the plan, implement it, document that plan, and then keep doing that. That's the summary. And then some of the things that they go into are extremely helpful. I'm just going to sort of bullet through these. There are different categories of aspects they talk about.  

One is administrative safeguards: HIPAA security management process, security personnel, information access management, workforce training and management, and evaluation. And these are probably some of the biggest challenges that folks have. I would say training your team is one of the biggest weak spots with any security in general. Having a process and constantly evaluating and then having some form of feedback loop around who has access to what information, being able to modify their roles, and having a dedicated person. They say a covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures. 
 
Now, a lot of times people will hear that and they'll think someone has to do this as a full-time job. That's not the case. They can do other things. But generally speaking, based on the size of your organization, you know you're going to need someone who has the time and resources to be responsible for developing and implementing your security policies and procedures. 

what is hipaa

CHRIS: That's where a third-party tool, or  leveraging some of these guides that we've prepared for you can help you to execute that without having to make it a full-time job. For some organizations that are large enough—and you may be part of one of these organizations—you may have literal departments dedicated to this. So it needs to be relative to the risk and size and scope. 

They go into a lot of other detail, I don't want to bore you with all of the detail. I just want to point out the technical safeguards as well: access controls, audit controls, integrity controls, and transmission security. Now, keep in mind, this is a summary. So if you want to get to the exact source, you can actually look at the laws that are backing this. They've summarized this for us, and you're going to want to—if it gets into a nuanced detail—go to the actual law, and potentially reference a HIPAA lawyer. That's fine if you need to do that.  

Continue to Part 7 to learn about ePHI technical safeguards.