A. Access Controls
Technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights:

I. Information access management (required)
1. Implementation specifications:
(A) Isolating health care clearinghouse functions (required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information from unauthorized access by the larger organization.
(B) Access authorization (addressable). Policies and procedures for granting access to electronic health information such as access to a workstation, transaction, program, process or other mechanisms shall be implemented by the health facility. Guidelines on the access of health information are provided in Rule III (Access of Health Information) in the SOR.
(C) Access establishment and modification (addressable). Based upon the access authorization policy of the data controller and/or data processor, policies and procedures on the establishment, documentation, review and modification of a user's rights to access a workstation, transaction, program or process shall be implemented.

II. User identification (required). A process for unique user identification shall be made within a policy and procedure of the health facility.
1. Implement specifications:
(A) There shall be a user name and/or number for identifying user identity throughout all levels of the organization.
(B) User identity shall not be shared, delegated or assigned to a group or individual.
(C) User identity that was previously used shall not be reused for new and/or existing users.

III. Emergency Access Procedure (Required). Procedures for obtaining necessary electronic health information during an emergency.
1. Situations that may require emergency access shall be identified, defined, and described by health facilities.
2. There shall be identification of authorized personnel who will need to access health information during emergency situations.
3. Procedures for obtaining necessary health information during emergency situations shall be established and implemented.
4. Policies and procedures for governing access to health information shall be created.

IV. Automatic log-off (addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
1. A policy and procedure that governs how automatic log-off is used shall be created.
2. A predetermined time shall be documented within the policy based on the application.

V. Encryption and decryption (addressable). The method of converting an original message of regular text into encoded text using an algorithm.
1. For encryption in transit, the standard security technology shall be Secure Socket Layer (SSL) (addressable).\ 2. Minimum requirement AES (Advanced Encryption Standard) 128
3. Encryption in storage TKE (Trusted Key Entry)

VI. Multi-factor authentication (addressable). Policy, operational, and technical mechanisms must be in place to use multi-factor authentication for those systems identified to have significant risk (e.g. servers, unified threat management, etc.)

B. Audit Controls
A record that shows who has accessed a computer system when it was accessed and what operations were performed.
I. Recording of information (required). Recorded information must include, but is not limited to, unique user identified, date and time of use/access, location (if applicable).
II. Audit Data Life Span (addressable). A policy shall be made by health facilities to specify the length of time the data must be stored and how it will be destroyed.
III. Access to Audit Data (addressable). The Medical Records Officer alongside with the Privacy Officer shall be authorized to audit the shared health record.

C. Integrity Controls
Protection of electronic health information from improper alteration or destruction.
I. Implementation specifications:
(A) Mechanism to authenticate electronic protected health information (addressable). Mechanisms to corroborate that electronic health information has not been altered or destroyed in an unauthorized manner shall be implemented.
(B) Digital signatures (required). Digital signatures shall be used to identify authenticity of the entry in an electronic system.
(C) Sum Verification (required) shall be used to determine if the input data matches the source data.
(D) Anti-virus software (required). Computers shall have an Industry Standard Antivirus Software with automatic updates turned on. The software shall be configured regularly and automatically download updates for the latest threats.
(E) Data storage encryption (required). Data storage and transmission shall be encrypted. For websites, https encryption shall be used.
(F) Transmission encryption (required). Data transmission via wireless networks or the internet shall always be encrypted.
(G) Proper Handling of Mechanical Components. Training on the proper use and handling of CPUs, Servers, flash drives, external hard drives shall be given to the user of electronic systems. (addressable)
(H) Back-up components such as servers, flash drives, external hard drives shall be stored away from possible electromagnetic interference. (addressable)
(I) Offline modes and Caching. Electronic systems shall have online and offline modes. (addressable)
(J) Interface Integration of Information Systems. Data transmission from electronic medical records shall follow a standard for integration and interfacing to facilitate interoperability and data compatibility. (addressable)

D. Transmission Security
Technical security measures to guard against unauthorized access to electronic health information that is being transmitted over an electronic communications network shall be implemented.

E. Identity Authentication
Procedures to verify that a person or entity seeking access to electronic health information is the one claimed shall be implemented. Rule III (Access of Health Information) provides guidelines on authentication of access.

F. Storage Security
Implementation Specifications:
(A) Data stored in portable data storage devices (e.g. Flash drive, portable hard drives, etc.) must be encrypted. (B) Data stored in cloud storage services (e.g. Dropbox, OneDrive, Google Drive, etc.) must be encrypted.

Proposed Rules for Cloud Services

• For cloud service providers, appropriate audit mechanisms and tools should be in place to determine how data is stored, protected, and used, to validate services and to verify policy enforcement. A risk management program should also be in place that is flexible enough to deal with the continuously evolving and shifting risk landscape.
  
• The cloud provider's electronic discovery capabilities and processes must not compromise the privacy or security of the data and applications of the health facility.
  
• Health facilities shall ensure that they have knowledge of a cloud provider's security measures to conduct risk management.
  
• Health facilities should understand the privacy and security controls of the cloud service, establish adequate arrangements in the service agreement, making any needed adjustments, and monitor compliance of the service controls with the terms of the agreement.
  
• Adequate and secure network communications infrastructure shall be in place.
  

Contract/ agreement between health facility and cloud provider:

• The health care facility's ownership rights over the data must be firmly established in the service contract to enable the basis of trust and privacy of data. In so far as practicable, the contract between the health care facility and cloud service provider should state clearly that:
  

(a) the health facility retains ownership over all its data; (b) the cloud provider acquires not rights or licenses throughout the agreement, including intellectual property rights or licenses, to use the health facility's data for its own purposes; © the cloud provider does not acquire and may not claim any interest in the data due to security.

• Service agreements should include some means for the health facility to gain visibility into the security controls and processes employed by the cloud provider and their performance over time. Ideally, the health facility will have control over aspects of the means of visibility to accommodate its needs, such as the threshold for alerts and notifications, and the level of detail and schedule of reports.
  
• Contracts/agreements shall clarify the types of metadata collected by the cloud provider, the protection afforded the metadata, and the organization's rights over metadata, including ownership, opting out of collection or distribution and fair use.
  
• Health care providers must understand the technologies the cloud provider uses to provision services and the implications the technical controls involved have on security and privacy of the system throughout its lifecycle. The underlying system architecture of a cloud can be decomposed and mapped to a framework of security and privacy controls that can be used to assess and manage risk.
  

Composite Services

• Cloud services that use third-party cloud providers to outsource or subcontract some of their services should specify the scope of control of the third party, responsibilities involved, and the remedies and recourse available should problems occur.
  

Notes re: cloud computing

• Cloud computing risks can be divided into six areas:
  

(1) Data Security and Controls- Providers must assess the strength of cloud vendor's internal controls to protect the confidentialty, integrity and availability of the electronic personal health information.
(2)Data Transmission- Data may be transmitted via the Internet or wireless networks. Is there adequate encryption? Is there a defined service level agreement for data transmission, and does your organization have the correct tools in place to assess compliance?
(3) Multitenancy- This requires health care organization to consider the possible comingling of data on shared hardware. Auditors should determine if data is properly segregated on the cloud and if the cloud operator has adequate controls to protect data both in storage and during transmission.
(4) Location- Auditors should be aware of all locations maintained or contracted for by the cloud operator and guard against the risk a cloud operator could unilaterally move the data to another location without first informing the health care organization.
(5) Reliability- Health care organizations face the risk that resources may not be available when they're needed. Auditors should assess a cloud company's ability to scale its systems to meet short-term surges in demand, as well as long-term growth. They also should determine when the cloud operator typically conducts system maintenance and installs upgrades to ensure data is available during peak business hours.
(6) Sustainability- Auditors should determine the adequacy of a cloud provider's disaster recovery and business continuity plans to understand how operations will continue if the cloud is out of service. Health care organizations should also have a plan for moving data if the cloud provider goes out of business or for when the contract ends. They should also assess the risk of the cloud provider being unwilling or unable to return data.

References:

• Herold R., Beaver K. (2015) The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.

  • Grant Thornton. (2013) Third Party Relationships and Your Confidential Data. Assessing Risks and Management Oversight Processes. Retrieved from https://www.grantthornton.com/~/media/content-page-files/health-care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control-concerns.ashx
  • Grance, T., Jansen, W. (2011). Guidelines on Security and Privacy in Public Cloud Computing. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf

  
  

• Privacy Set of Rules (SOR)