The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard protected health information (PHI) by regulating healthcare providers. HIPAA has been around since 1996 but has never been taken seriously before the act called HITECH (The Health Information Technology for Economic and Clinical Health Act) was enacted in 2009. HITECH among other requirements added HIPAA Breach Notification Rule that requires full disclosure of any leaked PHI directly to the patients and government authorities. Further strengthening PHI protection and issuing more precise and even more strident requirements for HIPAA compliance is the Omnibus Final Rule, enacted in 2013, it provides various clarifications and also final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by HITECH.
Most of the HIPAA compliance requirements related to the IT departments contained within the HIPAA Security Rule which typical implementation is based on the following core principles, aimed to provide security and integrity of regulated data and systems:
Complying with the HIPAA regulations requires all healthcare organizations to setup processes and controls that ensure security and integrity of PHI. The ability to show that PHI is secured through reliable access control and monitoring is key to ensure a successful HIPAA audit.
HIPAA compliance violations can have terrible consequences, such as $1.7m settlement paid by WellPoint for exposure of 600,000 patient records or $1m settlement paid by Massachusetts General Hospital, or devastating $4.8m settlement of New York Presbyterian Hospital/Columbia University Medical Center.
"It can be difficult to know what changed, when it changed, and who changed it. Add regulatory compliance and you'll need to hire a full crew to keep up the changes over time." /Michael Domingo, Executive Editor of MCPmag.com/
The following table summarizes the most relevant requirements set forth in part 164 of C.F.R. 45 (as amended through March 26, 2013) and shows how Netwrix provides a HIPAA compliance suite to attain, assess and maintain compliant IT environment. Items marked with 'R' are required to implement. Items marked with 'A' are "addressable": that means it must be either implemented, if deemed reasonable and appropriate by the organization; replaced by another, more suitable control; or clearly documented, in cases when organizations decided not to implement the security measure
Please note that the suggested mechanisms to support compliance efforts in each particular section may vary in different organizations depending on their systems configuration, internal procedures, nature of business, and other factors. Also achieving HIPAA compliance with other provisions of Privacy, Security, and Breach Notification Rules, not specifically mentioned in the table below, can be assisted by using Netwrix products.
More detailed reference guide is available here: HIPAA Compliance with Netwrix
|HIPAA Requirement||Netwrix Provides|
|§ 164.308: Administrative Safeguards|
(a)(1)(i) Security management process. Implement policies
and procedures to prevent, detect, contain, and correct security
||Fully featured auditing
of access, changes, and configurations of all systems creating,
receiving, maintaining, and transmitting ePHI and recording of who
changed what, when, and where ensures HIPAA compliance. Centralized
consolidation and archival or audit trials, using predefined and
custom-built reports covering all major types of activities across the
entire IT infrastructure.
Information system activity review: Implement procedures to regularly
review records of information system activity, such as audit logs,
access reports, and security incident tracking reports.
||Simplify burden of
systematic reviews of audit trails collected by Netwrix platform by
using Change Review History reporting mechanism of Netwrix Auditor.
(This mechanism should supplement internal control policies
Termination procedures: Implement procedures for terminating access to
electronic protected health information when the employment of a
||Auditing of disabled
accounts, automated de-provisioning of inactive user accounts.
Automated disabling and removal with full reporting.
(a)(4)(i) Information access management. Implement
procedures for authorizing access to electronic protected health
information that are consistent with the applicable requirements of
subpart E of this part.
||Auditing of files folders and their permissions across
the entire IT infrastructure for early detection of unauthorized
changes to security access settings (e.g. granting of new permissions,
changes of user access rights, etc.) and ensure adequacy of technical
(a)(4)(ii)(A) Isolating health care clearinghouse
functions. If a health care clearinghouse is part of a larger
organization, the clearinghouse must implement policies and procedures
that protect the electronic protected health information of the
clearinghouse from unauthorized access by the larger organization.
and automated change documentation for all types of access rights,
privileges, and policies that control access to workstations, programs,
transactions, and other systems to detect violations of HIPAA
compliance security measures.
Access establishment and modification. Implement policies and
procedures that, based upon the covered entity's or the business
associate's access authorization policies, establish, document, review,
and modify a user's right of access to a workstation, transaction,
program, or process
Log-in monitoring. Procedures for monitoring log-in attempts and
||Centralized consolidation and easy to use reporting of
all successful and failed logon/logoff activities with extensive
Password management. Procedures for creating, changing, and
||Auditing of all password changes. Self-service password
management for end users with customizable password security settings
and secure access based on user identity verification. Prevention of
excessive help desk calls related to secure password policies.
Security incident procedures. Implement policies and procedures to
address security incidents
||As a part of internal control implement procedures to
regularly review audit trails to identify and mitigate security
incidents as they occur.
Response and reporting. Identify and respond to suspected or known
security incidents; mitigate, to the extent practicable, harmful
effects of security incidents that are known to the covered entity or
business associate; and document security incidents and their outcomes
||Auditing of all administrative and user activities with
configurable real time alerts and reporting that documents and notifies
on all security incidents and helps with early detection of HIPAA
compliance violations and prevention of further security incidents.
Disaster recovery plan. Establish (and implement as needed) procedures
to restore any loss of data.
||Investigate audit trail with changes
including before/after values for immediate data recovery. Quick
rollback of unauthorized and accidental changes to Active Directory
objects, including restore of deleted objects.
|§ 164.312: Technical Safeguards|
Unique user identification. Assign a unique name
and/or number for identifying and tracking user identity.
||Complete auditing of user accounts and logons to
analyze violations and prevent usage of the same ID by multiple persons
(e.g. from different computers) Compare audit trail with HR records to
validate HIPAA compliance.
Audit controls. Implement hardware, software, and/or procedural
mechanisms that record and examine activity in information systems that
contain or use electronic protected health information
Auditing, archiving, and reporting of access and modifications within
systems containing PHI.
Person or entity authentication. Implement procedures to verify that a
person or entity seeking access to electronic protected health
information is the one claimed.
|| Auditing logon activities of implemented within the
organization two-tiered authentication system. Additionally users can
be verified by challenge/response system to confirm their identity when
they change their passwords.
Policies and procedures and documentation requirements.
If an action, activity or assessment is required by
this subpart to be documented, maintain a written (which may be
electronic) record of the action, activity, or assessment.
states and complete audit trail of access and changes, including who,
when, where, what with before and after values. Consolidated within
two-tiered (file-based and SQL database) storage solution, holding data
for up to 10 years or more, with built-in archiving and reporting
capabilities. Streamline HIPAA compliance with scheduled reports and
Time limit. Retain the documentation required by
paragraph (b)(1) of this section for 6 years from the date of its
creation or the date when it last was in effect, whichever is later.
Availability. Make documentation available to those
persons responsible for implementing the procedures to which the
164.528: Accounting of disclosures of protected health information.
Right to an accounting of disclosures of protected health information.
(1) An individual has a right to receive an accounting of disclosures
of protected health information made by a covered entity in the six
years prior to the date on which the accounting is requested
||Holding records of all activities for 10 years and more
to be able to fully reconstruct all activities and access attempts to
protected health information upon request.
|Download Free Trial||One-to-One Demo||Request Quote|
Disclaimer: This information is not intended to provide legal advice or substitute for the advice of an attorney.