Saturday, December 7, 2013

HIPAA Security Rule

HIPAA Security Rule and related readings
The importance of access controls in addition to audit controls:
The Audit controls are only one form of control.  The audit controls are a means of documenting system access and access attempts by users.   Keeping track of who has accessed data by using logs to keep track of access is part of audit control, however this type of control is not enough.  Access controls should be included to control and limit access to health information.  The access can be limited using special software programs.  The software would limit access to those given authorization to access the data they need for their job only.  This type of software can put limits by making information accessible by context-based, role-based, or user-based access schemes.

Emergency access procedures under the Access Control standard:
Procedures for accessing data under emergency conditions should be planned for.  Emergency access is defined as loss of data or systems containing protected health data in electronic form.  Emergencies could be anything from, fires, vandalism, terrorism,  natural disasters or system failures.  In an emergency situation being able to access information could be vital to a life or death situation.  There should be protocols in place for both backup storage and access of information in another area other than the original location.  The procedures should include ways for workforce members to be able to access that information.  If a special access or audit control needs to be added to the other location then that should be taken into consideration.

How role-based access controls meet the HIPAA Privacy Rule minimum necessary standard:
This standard requires that access to PHI by employees of covered entities must be limited to the minimum necessary to do their jobs. The rule specifies that covered entities must “develop role-based access rules” to carry out this minimum necessary requirement.  Role-based access is the mapping of data access for a user or a class of users to only those functions, activities, and action codes that they need to perform their duties. (optuminsight)
The privacy rule requires that a covered entity must identify several things under their policies and procedures.  These items include naming which persons or classes of persons need access to the protected healthcare data.  Another item includes listing categories of protected health information that the persons or classes will need to be able to access.  The other item is listing the conditions that would apply to the access where appropriate.  Covered entities must also have policies and procedures to limit access to those not needing access to the data.  

What form of authentication best meets the Person or Entity Authentication Standard for different healthcare applications:
Person or Entity Authentication Standard refers to those accessing e-PHI and requires that those individuals are identified and authenticated.  The Two-factor Authentication is the best method for meeting the standard.  This strong authentication requires that information be provided using two or three different types of authentication information.  Authentication could include passwords, smart cards and tokens, biometrics, CAPTCA or more.  The Two-factor means that two of more of these types would be needed to be able to access the healthcare information. 
Sayles; Health Information Management Technology: An Applied Approach