The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard protected health information (PHI) by regulating healthcare providers. HIPAA has been around since 1996 but has never been taken seriously before the new act called HITECH (The Health Information Technology for Economic and Clinical Health Act) was enacted that becomes effective in February 2010. The original HIPAA includes two sections: Title I is mostly about protecting workers healthcare coverage in case they change or lose their jobs, and HIPAA Title II, also known as Administrative Simplification (AS), which is all about protection of patient data (section 164). HITECH act further extends HIPAA with additional provisions.
Meeting the requirements of HIPAA/HITECH requires all healthcare organizations to setup processes and controls that ensure security and integrity of PHI. The ability to show that PHI is secured through reliable access control and monitoring is key to ensure a successful HIPAA audit.
| HIPAA Section |
NetWrix Solution |
| § 164.308: Administrative Safeguards |
R: 164.308(a)(1)(ii)(D)
Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. |
Extensive auditing and report ing on both administrative and user activity in Active Directory, Group Policy, Exchange, the file servers, virtual envi ronments (VMware, Microsoft), SQL Servers. Detection of who did what, when, and where with advanced rollback capabilities of unauthorized actions. Centralized consolidation and archival or audit trials with web-based reporting using predefined and custom-built reports covering all major types of activities: logins, logoffs, user account operations, file access on servers, workstations, both successful and failed. |
A: 164.308(a)(3)(ii)(C)
Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends. |
Auditing of disabled accounts, automated de-provisioning of inactive user accounts. Automated disabling and removal with full reporting. |
R: 164.308(a)(4)(ii)(A)
Isolating health care clearinghouse functions: If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. |
Auditing of all types of changes and access to critical data and security-related settings in Active Directory, file servers, virtual machines, databases, to make sure that no members of larger organization change or access data of its child organization. Prevention of external media usage. |
A: 164.308(a)(4)(ii)(C)
Access establishment and modification: Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modi fy a user's right of access to a workstation, transaction, program, or process. |
Complete auditing and automated change documentation for all types of access rights, privileges, and policies that control access to workstations, programs, transactions, and other systems. |
A: 164.308(a)(5)(ii)(C)
Log-in Monitoring: Procedures for monitoring log-in attempts and reporting discrepancies. |
Centralized consolidation and easy to use reporting of all successful and failed logon/logoff activities with extensive filtering capabilities. |
A: 164.308(a)(5)(ii)(D)
Password Management: Procedures for creating, changing, and safeguarding passwords. |
Auditing of all password changes. Workflow-based control of privileged account use. Self-service password management for end users with customizable password security settings and secure access based on user identity veri fication. Prevention of excessive help desk calls related to secure password policies. |
R: 164.308(a)(6)(ii)
Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. |
Auditing of all administrative and user activities with configurable alerts and reporting that documents all security incidents and helps with early detection and prevention of further security incidents. |
R: 164.308(a)(7)(ii)(B)
Disaster recovery plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence. |
Quick rollback of unauthorized and accidental changes to Active Directory objects, including restore of deleted objects. File versioning and restore capabilities based on Volume Shadow Copy services. |
| § 164.312: Technical Safeguards |
R: 164.312(a)(2)(i)
Unique user identification: Assign a unique name and/or number for identi fying and tracking user identity. |
In addition to standard AD user authentication, shared accounts used for administration and applications are audited and associated with individual user identities through password check out concept. |
R: 164.312(b)
Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. |
Auditing, archiving, and reporting of access to the protected health information, auditing of privileged access, changes to security-related settings, and all other signi ficant security events, intrusions, and anomalies. |
R: 164.312(d)
Person or entity authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. |
In addition to standard AD authentication, all users can be verified using question/answer (challenge/response) system to verify their identity when they forget their passwords (e.g. veri fy user's badge ID and/or mother's maiden name). This ensures that all password reset requests are authorized and cannot be initiated by malicious person acting on behal f of someone else. |
| § 164.528 Accounting of disclosures of protected health information. |
R: 164.528(a)
Right to an accounting of disclosures of protected health information: An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested. |
Holding records of all activities for 6 years and more to be able to fully reconstruct all activities and access attempts to protected health information upon request. |
Download Evaluation