HIPAA Compliance with Netwrix Auditor

Integrated HIPAA/HITECH compliance solution for healthcare IT infrastructure

The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard protected health information (PHI) by regulating healthcare providers. HIPAA has been around since 1996 but has never been taken seriously before the act called HITECH (The Health Information Technology for Economic and Clinical Health Act) was enacted in 2009. HITECH among other requirements added HIPAA Breach Notification Rule that requires full disclosure of any leaked PHI directly to the patients and government authorities. Further strengthening PHI protection and issuing more precise and even more strident requirements for HIPAA compliance is the Omnibus Final Rule, enacted in 2013, it provides various clarifications and also final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by HITECH.

Most of the HIPAA compliance requirements related to the IT departments contained within the HIPAA Security Rule which typical implementation is based on the following core principles, aimed to provide security and integrity of regulated data and systems:

  • Identity management and access control: to ensure that data is only accessible by personnel that have a business need;
  • System configuration control: tracking of administrative activities and configuration changes;
  • Monitoring of access to data: knowledge of who accessed what data and when and review on a regular basis;
  • Data handling and encryption control: protection of data in storage and during transfers.

Complying with the HIPAA regulations requires all healthcare organizations to setup processes and controls that ensure security and integrity of PHI. The ability to show that PHI is secured through reliable access control and monitoring is key to ensure a successful HIPAA audit.

HIPAA compliance violations can have terrible consequences, such as $1.7m settlement paid by WellPoint for exposure of 600,000 patient records or $1m settlement paid by Massachusetts General Hospital, or devastating $4.8m settlement of New York Presbyterian Hospital/Columbia University Medical Center.

"It can be difficult to know what changed, when it changed, and who changed it. Add regulatory compliance and you'll need to hire a full crew to keep up the changes over time." /Michael Domingo, Executive Editor of MCPmag.com/

The following table summarizes the most relevant requirements set forth in part 164 of C.F.R. 45 (as amended through March 26, 2013) and shows how Netwrix provides a HIPAA compliance suite to attain, assess and maintain compliant IT environment. Items marked with 'R' are required to implement. Items marked with 'A' are "addressable": that means it must be either implemented, if deemed reasonable and appropriate by the organization; replaced by another, more suitable control; or clearly documented, in cases when organizations decided not to implement the security measure

Please note that the suggested mechanisms to support compliance efforts in each particular section may vary in different organizations depending on their systems configuration, internal procedures, nature of business, and other factors. Also achieving HIPAA compliance with other provisions of Privacy, Security, and Breach Notification Rules, not specifically mentioned in the table below, can be assisted by using Netwrix products.

More detailed reference guide is available here: HIPAA Compliance with Netwrix

HIPAA Requirement Netwrix Provides
§ 164.308: Administrative Safeguards
R:§ 164.308 (a)(1)(i) Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
Fully featured auditing of access, changes, and configurations of all systems creating, receiving, maintaining, and transmitting ePHI and recording of who changed what, when, and where ensures HIPAA compliance. Centralized consolidation and archival or audit trials, using predefined and custom-built reports covering all major types of activities across the entire IT infrastructure.
R:§164.308(a)(1)(ii)(D) Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Simplify burden of systematic reviews of audit trails collected by Netwrix platform by using Change Review History reporting mechanism of Netwrix Auditor. (This mechanism should supplement internal control policies and procedures)
A:§164.308(a)(3)(ii)(C) Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.
Auditing of disabled accounts, automated de-provisioning of inactive user accounts. Automated disabling and removal with full reporting.
R:§164.308 (a)(4)(i) Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
Auditing of files folders and their permissions across the entire IT infrastructure for early detection of unauthorized changes to security access settings (e.g. granting of new permissions, changes of user access rights, etc.) and ensure adequacy of technical controls.
R:§164.308 (a)(4)(ii)(A) Isolating health care clearinghouse functions. If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
Complete auditing and automated change documentation for all types of access rights, privileges, and policies that control access to workstations, programs, transactions, and other systems to detect violations of HIPAA compliance security measures.
A:§164.308(a)(4)(ii)(C) Access establishment and modification. Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process
A:§164.308(a)(5)(ii)(C) Log-in monitoring. Procedures for monitoring log-in attempts and reporting discrepancies.
Centralized consolidation and easy to use reporting of all successful and failed logon/logoff activities with extensive filtering capabilities.
A:§164.308(a)(5)(ii)(D) Password management. Procedures for creating, changing, and safeguarding passwords
Auditing of all password changes. Self-service password management for end users with customizable password security settings and secure access based on user identity verification. Prevention of excessive help desk calls related to secure password policies.
R:§164.308(a)(6)(i) Security incident procedures. Implement policies and procedures to address security incidents
As a part of internal control implement procedures to regularly review audit trails to identify and mitigate security incidents as they occur.
R:§164.308(a)(6)(ii) Response and reporting. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes
Auditing of all administrative and user activities with configurable real time alerts and reporting that documents and notifies on all security incidents and helps with early detection of HIPAA compliance violations and prevention of further security incidents.
R:§164.308(a)(7)(ii)(B) Disaster recovery plan. Establish (and implement as needed) procedures to restore any loss of data.
Investigate audit trail with changes including before/after values for immediate data recovery. Quick rollback of unauthorized and accidental changes to Active Directory objects, including restore of deleted objects.
§ 164.312: Technical Safeguards
R:§164.312(a)(2)(i) Unique user identification. Assign a unique name and/or number for identifying and tracking user identity.
Complete auditing of user accounts and logons to analyze violations and prevent usage of the same ID by multiple persons (e.g. from different computers) Compare audit trail with HR records to validate HIPAA compliance.
R:§164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information
Auditing, archiving, and reporting of access and modifications within systems containing PHI.
R:§164.312(d) Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Auditing logon activities of implemented within the organization two-tiered authentication system. Additionally users can be verified by challenge/response system to confirm their identity when they change their passwords.
§ 164.316: Policies and procedures and documentation requirements.
R:§164.316(b)(1)(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Configurations states and complete audit trail of access and changes, including who, when, where, what with before and after values. Consolidated within two-tiered (file-based and SQL database) storage solution, holding data for up to 10 years or more, with built-in archiving and reporting capabilities. Streamline HIPAA compliance with scheduled reports and real-time alerts.
R:§164.316(b)(2)(i) Time limit. Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
R:§164.316(b)(2)(ii) Availability. Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
§ 164.528: Accounting of disclosures of protected health information.
R:§164.528(a) Right to an accounting of disclosures of protected health information. (1) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested
Holding records of all activities for 10 years and more to be able to fully reconstruct all activities and access attempts to protected health information upon request.
Download Free Trial One-to-One Demo Request Quote

See how Netwrix Auditor helps meet requirements of other regulations, such as PCI, SOX, FISMA and GLBA .

Disclaimer: This information is not intended to provide legal advice or substitute for the advice of an attorney.