In 1996, the U.S. Department of Health and Human Services (HHS) published the HIPAA Privacy Rule and the HIPAA Security Rule to protect the privacy of healthcare information. Many of our customers are subject to HIPAA guidelines, but few understand the specifics of how HIPAA relates to managed IT services. This article will shed some light on the subject, and help you to understand what kinds of services are necessary to meet HIPAA standards.
What information is protected?
The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI). The HIPAA Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity maintains in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI), and this is the part of HIPAA that is relevant to IT managed service providers. The Security Rule also applies to the business associates of healthcare providers, which means that Complete IT is obligated to safeguard e-PHI information and help customers comply with duties specified under HIPAA guidelines.
Security Rule (45 CFR §164.308)
There are three safeguard levels of security defined under the Security Rule:
- The Administrative Safeguards primarily concern the requirement to conduct ongoing risk assessments in order to identify potential vulnerabilities and risks to the integrity of PHI.
- The Physical Safeguards concentrate on the measures that should be implemented to prevent unauthorized access to PHI, and to protect data from fire and other environmental hazards.
- The Technical Safeguards relate to the controls that have to be put in place to ensure data security when PHI is being communicated on an electronic network.
Covered entities are required to comply with every Security Rule standard, however certain standards are listed as “addressable” while others are “required.” The required specifications must be implemented, but covered entities must determine whether addressable specifications are “reasonable and appropriate” to implement.
Some HIPAA obligations must be addressed by internal policies managed by our customers, but many can be addressed through proper implementation of Complete IT services. The summary below lists HIPAA specifications and their description under each relevant service.
RocketCyber + Microsoft 365
Items below are addressable by two available services: RocketCyber Managed SOC (more information available at https://www.completeit.com/rocketcyber/), and Microsoft 365 cloud services, which include secure email and Intune mobile device management. See https://www.completeit.com/office365/ for full details.
| HIPAA specifications | Description |
|---|---|
| 164.308(a)(1)(ii)(D) Information System Activity Review (Required) | Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. |
| 164.308(a)(5)(ii)(B) Protection from Malicious Software (Addressable) | Procedures for guarding against, detecting, and reporting malicious software. |
| 164.308(a)(5)(ii)(C) Log-in Monitoring (Addressable) | Procedures for monitoring log-in attempts and reporting discrepancies. |
| 164.308(a)(6)(ii) Response and Reporting (Required) | Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. |
| 164.312(b) Audit Controls | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. |
Security Policy
These items are covered by security policies and access controls consistent with the protection of e-PHI. These controls require cooperation from our customers to fully implement.
| HIPAA specifications | Description |
|---|---|
| 164.312(a)(2)(iii) Automatic Logoff (Addressable) | Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
| 164.312(a)(2)(iv) Encryption and Decryption (Addressable) | Implement a mechanism to encrypt and decrypt electronic protected health information. |
| 164.308(a)(3)(ii)(A) Authorization and/or Supervision (Addressable) | Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. |
| 164.308(a)(5)(ii)(D) Password Management (Addressable) | Procedures for creating, changing, and safeguarding passwords. |
| 164.312(c)(1) Integrity | Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. |
| 164.312(e)(2)(ii) Encryption (Addressable) | Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. |
Risk Assessment
Complete IT can perform a comprehensive scan of all network assets and identify security risks, such as misconfigurations and software vulnerabilities.
| HIPAA specifications | Description |
|---|---|
| 164.308(a)(1)(ii)(A) Risk Analysis (Required) | Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. |
Minimum Standards
The foundation for addressing HIPAA is addressed by our minimum standard guidelines, which include remote management and backup services. Full details can be found at https://www.completeit.com/cit-standards/.
| HIPAA specifications | Description |
|---|---|
| 164.312(a)(2)(i) Unique User Identification (Required) | Assign a unique name and/or number for identifying and tracking user identity. |
| 164.308(a)(5)(ii)(A) Security Reminders (Addressable) | Periodic security updates. |
| 164.308(a)(7)(ii)(A) Data Backup Plan (Required) | Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. |
| 164.308(a)(7)(ii)(B) Disaster Recovery Plan (Required) | Establish (and implement as needed) procedures to restore any loss of data. |
| 164.310(d)(2)(iv) Data Backup and Storage (Addressable) | Create a retrievable exact copy of electronic protected health information, when needed, before movement of equipment. |
HIPAA compliance is a continuous process
Safeguarding patient information is a task that is never complete. As your business grows, there will always be a need to train new employees, review existing processes, and perform network upgrades to combat new threats. If our expertise can be of service, please give us a call…
— The Complete IT Team
