HIPAA Compliance Software Solutions
The Health Insurance Portability and Accountability Act (HIPAA) regulates a wide range of activities regarding healthcare services. One of its primary functions is to prevent fraud and data abuse in healthcare. Strict HIPAA security compliance regulations are designed to protect personal healthcare data from unauthorized access.
HIPAA defines three categories of covered entities:
- Healthcare providers — Hospitals, clinics, medical laboratories, pharmacies, nursing homes, doctors, psychologists, dentists, chiropractors, etc.
- Healthcare plans — Health insurance and health maintenance companies, government programs such as Medicare and Medicaid, military healthcare programs
- Healthcare clearinghouses — Organizations that create, receive, maintain, edit, or transmit any protected health information (PHI)
Business associates (and their subcontractors) that work with healthcare organizations are also subject to HIPAA compliance requirements. Although they aren’t listed as HIPAA covered entities, these associates process PHI and therefore share the same responsibilities.
In other words, any organization that deals with PHI must meet HIPAA requirements. The act is vague on the frequency of audits, but it’s generally recommended to conduct HIPAA audits and self-assessments yearly or after substantial changes in your IT environment.
Passing a HIPAA compliance audit can be quite a challenge and generally requires the use of dedicated software for monitoring and controlling users’ access to sensitive data.
Key HIPAA compliance requirements for data protection
HIPAA compliance requirements are laid out in several key rules:
HIPAA controls list for data protection are described in the first two rules.
The Privacy Rule establishes standards for PHI security and safeguards to protect PHI privacy. This rule also sets out conditions when such information may be used without authorization from a patient.
The Security Rule specifies security measures for electronic PHI (ePHI) and the required functionality of HIPAA compliance software. This rule determines the following safeguards:
- Administrative — Required practices, policies, and procedures to ensure ePHI security
- Physical — Measures to establish the physical security of buildings and devices that contain ePHI
- Technical — Technologies that provide access to ePHI and protect it from digital threats
HIPAA controls can be required or addressable. Required controls are obligatory for any covered entity or business associate. Addressable controls must be implemented if it’s reasonable for your organization. You should document your choice in a relevant security policy. When you aren’t sure whether an addressable requirement is relevant for you, it’s best to implement it anyway — you can never be too careful.
With Ekran System, you can easily implement all critical administrative and technical safeguards:
|Administrative safeguards||Technical safeguards|
Isolating third-party access
Unique user identification
§164.308.A.4 (A) Isolating third-party access (Required). A covered entity must protect its ePHI from access by other organizations. Ekran System achieves this with continuous monitoring of third-party vendors, RDP and SSH session recording, and a suite of identity and access management tools.
§164.308.A.4 (B) Access authorization (Addressable). All employees accessing ePHI must be authorized to do so. Ekran System employs identity management functionality that includes two-factor authentication (2FA). This feature can confirm a person’s identity and access rights by sending a confirmation passcode to a verified device.
§164.308.A.4 (C) Access establishment and modification (Addressable). An entity should be able to establish and modify user access policies. Ekran System access management functionality provides flexible HIPAA access controls for both regular and privileged users.
§164.308.A.5 (D) Password management (Addressable). An entity has to securely create, store, and distribute user credentials. Ekran System’s password management feature covers all these requirements and allows you to manage SSH/Telnet keys (for UNIX environments), Windows Active Directory keys, and other secrets.
§164.308.A.6 Response and reporting (Required). All security threats should be identified and reported. Ekran System helps to detect threats by continuously monitoring all user actions, alerting security personnel of suspicious actions and providing detailed reports on each incident for a HIPAA security audit.
§164.312.A.2. (i) Unique user identification (Required). Each user should have unique access credentials. Ekran System manages credentials for each user and provides secondary authentication to distinguish users of shared accounts.
§164.312.A.2. (ii) Emergency access procedure (Required). In case of an emergency, an entity’s administrator should be able to gain access to ePHI or terminate suspicious user sessions. Ekran System can block an activity, session, or user automatically when it detects a security breach. A security officer also can do that manually as well as grant emergency access to sensitive data by issuing one-time passwords.
§164.312.C.2. User authentication (Addressable). A covered entity should have a mechanism to authenticate any user who changes or destroys ePHI. Ekran System does that with 2FA. Also, user monitoring functionality provides visibility into any actions with ePHI.
§164.312.E.2.(i) Integrity controls (Addressable). It must be impossible to make undetected changes to ePHI in transit. With Ekran System monitoring, any interaction with data is recorded. Therefore if anyone tries to modify data in transit, an entity will have complete records of that event. Also, those records can be exported to a protected file for further forensic activities.
Ekran System is an efficient insider threat protection platform that can help you meet HIPAA security controls. Flexible endpoint licensing and an enterprise-ready architecture make Ekran System a perfect HIPAA compliance solution.