Privacy Wiki

• Disclaimer: For information purposes only. Standard terms, definition, sentence construction will still be edited.
  

A. Access Controls
Technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights:

I. Information access management (required)
1. Implementation specifications:
(A) Isolating health care clearinghouse functions (required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
(B) Access authorization (addressable). Implement policies and procedures for granting access to electronic protected health information, for example through access to a workstation, transaction, program, process, or other mechanism.
(C) Access establishment and modification (addressable). Implement policies and procedures that, based upon the data controller and/or data processor's access authorization policies, establish, document, review, and modify a user's rights of access to a workstation, transaction, program, or process.

II. Unique user identification (required). A process for unique user identification is made within a policy ad procedure of the organization.
1. Implement specifications:
(A) A unique user name and/or number for identifying user identity throughout all levels of the organization.
(B) User identity cannot be shared, delegated or assigned to a group or individual.
(C) Unique user identity that was previously used cannot be reused for new and/or existing users.

III. Emergency Access Procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
1. Identify, define, describe types of situations that may require emergency access.
2. Identify authorized personnel who will need to access health information.
3. Establish and implement procedures for obtaining necessary health information during emergency situations.
4. Create policies and procedures for governing access to health information.

IV. Automatic log-off (addressable). Implement electronic procedures that terminate and electronic session after a predetermined time of inactivity.
1. Create a policy and procedure that governs how automatic log-off is used.
2. A predetermined time should be documented within the policy based on the application.

V. Encryption and decryption (addressable). Method of converting an original message of regular text into encoded text using an algorithm.
1. Encryption in transit Secure Socket Layer (SSL) (addressable).\ 2. Minimum requirement AES 128
3. Encryption in storage TKE

VI. Multi-factor authentication (addressable). Policy, operational, and technical mechanisms must be in place to use multi-factor authentication for those systems identified to have significant risk (e.g. servers, unified threat management, etc.)

B. Audit Controls
A record that shows who has accessed a computer system when it was accessed and what operations were performed.
I. Recording information (required). Recorded information must include, but not limited to, unique user identified, date and time of use/access, location (if applicable), etc.
II. Audit Data Life Span (addressable). A policy must be in place to specify the length of time the data must be stored and how it will be destroyed.
III. Access to Audit Data (addressable). Implement policies and procedures to ensure only authorized personnel have access to audit data.

C. Integrity Controls
Implement policies and procedures to protect electronic health information from improper alteration or destruction.
I. Implementation specifications:
(A) Mechanism to authenticate electronic protected health information (addressable). Implement electronic mechanisms to corroborate that electronic health information has not been altered or destroyed in an unauthorized manner.
(B) Digital signatures (required). Digital signatures shall be used to identify authenticity of the entry in an electronic system.
(C) Sum Verification (required) shall be used to determine if the input data matches the source data.
(D) Anti-virus software (required). Computers shall have an Industry Standard Antivirus Software with automatic updates turned on. The software shall be configured regularly and automatically download updates for the latest threats.
(E) Data storage encryption (required). Data storage and transmission shall be encrypted. For websites, https encryption shall be used.
(F) Transmission encryption (required). Data transmission via wireless networks or the internet shall always be encrypted.
(G) Proper Handling of Mechanical Components. Training on the proper use and handling of CPUs, Servers, flash drives, external hard drives shall be given to user of electronic systems. (addressable)
(H) Back-up components such as servers, flashdrives, external hard drives shall be stored away from possible electromagnetic interference. (addressable)
(I) Offline modes and Caching. Electronic systems shall ave online and offline modes. (addressable)
(J) Interface Integration of Information Systems. Data transmission from electronic medical records shall follow a standard for integration and interfacing to facilitate interoperability and data compatibility. (addressable)

D. Transmission Security
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

E. Identity Authentication
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

F. Storage Security
Implementation Specifications:
(A) Data stored in portable data storage devices (e.g. USB drive, portable hard drives, etc.) must be encrypted. (B) Data stored in cloud storage services (e.g. Dropbox, OneDrive, Google Drive, etc.) must be encrypted.

Proposed Rules for Cloud Services

• For cloud service providers, appropriate audit mechanisms and tools should be in place to determine how data is stored, protected, and used, to validate services and to verify policy enforcement. A risk management program should also be in place that is flexible enough to deal with the continuously evolving and shifting risk landscape.
  
• The cloud provider's electronic discovery capabilities and processes must not compromise the privacy or security of the data and applications of the health facility.
  
• Health facilities shall ensure that they have knowledge of a cloud provider's security measures to conduct risk management.
  
• Health facilities should understand the privacy and security controls of the cloud service, establish adequate arrangements in the service agreement, making any needed adjustments, and monitor compliance of the service controls with the terms of the agreement.
  
• Adequate and secure network communications infrastructure shall be in place.
  

Contract/ agreement between health facility and cloud provider:

• The health care facility's ownership rights over the data must be firmly established in the service contract to enable the basis of trust and privacy of data. In so far as practicable, the contract between the health care facility and cloud service provider should state clearly that:
  

(a) the health facility retains ownership over all its data; (b) the cloud provider acquires not rights or licenses throughout the agreement, including intellectual property rights or licenses, to use the health facility's data for its own purposes; © the cloud provider does not acquire and may not claim any interest in the data due to security.

• Service agreements should include some means for the health facility to gain visibility into the security controls and processes employed by the cloud provider and their performance over time. Ideally, the health facility will have control over aspects of the means of visibility to accommodate its needs, such as the threshold for alerts and notifications, and the level of detail and schedule of reports.
  
• Contracts/agreements shall clarify the types of metadata collected by the cloud provider, the protection afforded the metadata, and the organization's rights over metadata, including ownership, opting out of collection or distribution and fair use.
  
• Health care providers must understand the technologies the cloud provider uses to provision services and the implications the technical controls involved have on security and privacy of the system throughout its lifecycle. The underlying system architecture of a cloud can be decomposed and mapped to a framework of security and privacy controls that can be used to assess and manage risk.
  

Composite Services

• Cloud services that use third-party cloud providers to outsource or subcontract some of their services should specify the scope of control of the third party, responsibilities involved, and the remedies and recourse available should problems occur.
  

Notes re: cloud computing

• Cloud computing risks can be divided into six areas:
  

(1) Data Security and Controls- Providers must assess the strength of cloud vendor's internal controls to protect the confidentialty, integrity and availability of the electronic personal health information.
(2)Data Transmission- Data may be transmitted via the Internet or wireless networks. Is there adequate encryption? Is there a defined service level agreement for data transmission, and does your organization have the correct tools in place to assess compliance?
(3) Multitenancy- This requires health care organization to consider the possible comingling of data on shared hardware. Auditors should determine if data is properly segregated on the cloud and if the cloud operator has adequate controls to protect data both in storage and during transmission.
(4) Location- Auditors should be aware of all locations maintained or contracted for by the cloud operator and guard against the risk a cloud operator could unilaterally move the data to another location without first informing the health care organization.
(5) Reliability- Health care organizations face the risk that resources may not be available when they're needed. Auditors should assess a cloud company's ability to scale its systems to meet short-term surges in demand, as well as long-term growth. They also should determine when the cloud operator typically conducts system maintenance and installs upgrades to ensure data is available during peak business hours.
(6) Sustainability- Auditors should determine the adequacy of a cloud provider's disaster recovery and business continuity plans to understand how operations will continue if the cloud is out of service. Health care organizations should also have a plan for moving data if the cloud provider goes out of business or for when the contract ends. They should also assess the risk of the cloud provider being unwilling or unable to return data.

References:

• Herold R., Beaver K. (2015) The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.

  • Grant Thornton. (2013) Third Party Relationships and Your Confidential Data. Assessing Risks and Management Oversight Processes. Retrieved from https://www.grantthornton.com/~/media/content-page-files/health-care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control-concerns.ashx
  • Grance, T., Jansen, W. (2011). Guidelines on Security and Privacy in Public Cloud Computing. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf

  
  

• Privacy Set of Rules (SOR)