Summary:

The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard protected health information (PHI) by regulating healthcare providers. HIPAA has been in effect since 1996.

It was not effectively enforced before the act called HITECH (The Health Information Technology for Economic and Clinical Health Act) was enacted in 2009. HITECH among other requirements added HIPAA Breach Notification Rule that requires full disclosure of any leaked PHI directly to the patients and government authorities.

Further strengthening PHI protection and issuing more precise and even more strident requirements is the Omnibus Final Rule enacted in 2013, it provides various clarifications and final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by HITECH.

Complying with the HIPAA regulations requires all healthcare organizations to setup processes and controls that ensure security and integrity of PHI. The ability to demonstrate that PHI is secured through reliable access control and monitoring is key to ensure a successful HIPAA audit.

Majority of the requirements related to the information systems is contained within the HIPAA Security Rule.

Please note that the efforts and procedures required to establish compliance in each section may vary in different organizations depending on their systems configuration, internal procedures, nature of business, and other factors.

Software implementation will not guarantee organizational compliance without proper processes in place. Not all the controls that Netwrix can possibly support are included. This mapping should be used as a reference guide for implementation of an organization tailored policies and procedures.

Netwrix Auditor can help with the HIPAA controls listed below.

  • 164.308 Administrative safeguards. (HIPAA Security Rule)
  • 164.308 (a)(1)(i) Security management process.
  • 164.308 (a)(1)(ii)(A) Risk analysis.
  • 164.308 (a)(1)(ii)(B) Risk management.
  • 164.308 (a)(1)(ii)(C) Sanction policy.
  • 164.308 (a)(1)(ii)(D) Information system activity review.
  • 164.308 (a)(3)(ii)(C) Termination procedures.
  • 164.308 (a)(4)(i) Information access management.
  • 164.308 (a)(4)(ii)(A) Isolating health care clearinghouse functions.
  • 164.308 (a)(4)(ii)(C) Access establishment and modification.
  • 164.308 (a)(5)(ii)(A) Security reminders. Periodic security updates.
  • 164.308 (a)(5)(ii)(B) Protection from malicious software.
  • 164.308 (a)(5)(ii)(C) Log-in monitoring.
  • 164.308 (a)(5)(ii)(D) Password management.
  • 164.308 (a)(6)(i) Security incident procedures.
  • 164.308 (a)(6)(ii) Response and reporting.
  • 164.308 (a)(7)(ii)(B) Disaster recovery plan.
  • 164.312 Technical safeguards. (HIPAA Security Rule)
  • 164.312 (a)(1) Standard: Access control.
  • 164.312 (a)(2)(i) Unique user identification.
  • 164.312 (a)(2)(iii) Automatic logoff.
  • 164.312 (b) Standard: Audit controls.
  • 164.312 (c)(1) Integrity.
  • 164.312 (d) Person or entity authentication.
  • 164.312 (e)(2)(i) Integrity controls.
  • 164.316 Policies and procedures and documentation requirements. (HIPAA Security Rule)
  • 164.316 (b)(1)(ii) Documentation.
  • 164.316 (b)(2)(i) Time limit.
  • 164.316 (b)(2)(ii) Availability.
  • 164.528 Accounting of disclosures of protected health information. (HIPAA Privacy Rule)
  • 164.528 (a) Right to an accounting of disclosures of protected health information.