HIPAA Security Rules
Health Insurance Portability and Accountability Act
*This document outlines best practice policy and data leakage controls for HIPAA compliance.
HIPAA security rules require all covered entities and business associates to appoint a person or group responsible for a health information security program to protect PHI (Personnel Health Information). This includes a program to analyze and manage risk. Risk analysis, as defined by the HIPAA Security Rule, requires a formal, repeatable methodology that assesses the content, sensitivity and volume of information; the threats to the confidentiality, integrity and availability of PHI; and the effectiveness of the security controls the organization has implemented already.
Organizations must ensure that only authorized users have access to electronic PHI. This means that only authenticated users with a unique ID should be given access to PHI information. Whenever possible PHI should be encrypted. Encrypting PHI helps to protect the data when it is being moved or transported from one location to another on a mobile device.
HIPAA rules require organizations to assess their partners’ practices and obtain contractual guarantees that the information entrusted to them will be protected according to the privacy and security rules.
There are three keys to effective partner management:
- Share only the information that partners need to provide their service: Eliminate identity fields if possible, for example.
- Regularly assess partners’ risk and security practices.
- Establish contracts with partners and review them regularly.
HIPAA regulations state that all HIPAA data that moves across the network should be segmented from all other network traffic to safeguard information against common types of attacks.
Following these practices and guidelines will not only safeguard an organizations Personnel Health Information but will assist in passing HIPAA audits and protect the university from costly penalties in case of a breach.
The following helpful guides to HIPAA Policy Rules and Compliance may be found on the US Department of Health & Human Services website.
- Summary of the HIPAA Privacy Rule – a more detailed explanation of HIPAA (05-2003).
- HIPAA Guide for Law Enforcement – a quick and easy explanation of HIPAA (09-2013).
- Bulletine – HIPAA Privacy in Emergency Situations – an explanation of what is allowed during emergencies (10-2014).
HIPAA and Mobile Data
*This document outlines best practices in mobile policy and data leakage controls for HIPAA compliance.
- Any mobile device that contains HIPAA Data should have full drive encryption.
- Strong password restrictions should be enforced on these devices.
- Any emails sent containing HIPAA data should be encrypted.
- The mobile devices operating system should be monitored to verify that the operating system and antivirus are kept patched and up to date.
- Device logs should be maintained and audited for unauthorized access.
- Device tracking should be enabled.
- If possible the ability to remotely lock or wipe that device should be enabled.