Friday, September 30, 2022
HomeTaxHow Ought to Well being Plans Implement Entry Management Beneath the HIPAA...

How Ought to Well being Plans Implement Entry Management Beneath the HIPAA Safety Rule?

QUESTION: Our firm sponsors a self-insured well being plan, and workers who carry out plan administration features have entry to digital protected well being info (PHI). How can we management entry to PHI to adjust to the HIPAA safety rule?

ANSWER: The HIPAA safety rule applies to digital PHI created, obtained, maintained, or transmitted by well being plans or their enterprise associates. When customers are capable of entry digital PHI, the entry management commonplace underneath the HIPAA safety rule have to be thought-about. This commonplace consists of 4 implementation specs: distinctive consumer identification; emergency entry; automated logoff; and encryption and decryption.

When growing safety measures according to these implementation specs, chances are you’ll want to take into account the Well being Business Cybersecurity Practices (HICP) developed by a job group convened by HHS. In technical volumes, the HICP identifies “greatest practices” to mitigate safety threats. HICP safety measures related to entry management embody, for instance, the next:

  • Entry Parameters. Tailor entry for every consumer based mostly on the consumer’s particular office necessities. Entry needs to be role-based, offering the minimal essential entry for customers to carry out their job features involving use or disclosure of digital PHI.

  • Separate Accounts. Assign a separate consumer account to every consumer in your group; shared or generic accounts needs to be prevented. Require customers to create advanced passwords, with reminders that passwords needs to be totally different from these used for customers’ private accounts. Practice and often remind customers that they have to by no means share their entry credentials. Implement multifactor authentication for customers to achieve entry to their distinctive accounts.

  • Automated Lock and Log-off. Configure programs and endpoints to robotically lock out and log out customers after a predetermined interval of inactivity.

  • Modify and Terminate Consumer Entry. When a consumer leaves your group, execute procedures to terminate the consumer’s entry instantly to stop former customers (who might have improper motives) from accessing PHI. That is particularly vital for organizations utilizing cloud-based programs the place entry is predicated on credentials, quite than bodily presence at a selected pc. Equally, if a consumer adjustments jobs throughout the group, you will need to modify entry based mostly on the necessities of the brand new place.

Though you requested in regards to the HIPAA safety rule, remember that the HIPAA privateness rule additionally consists of necessities for plan sponsors’ workers who use or disclose PHI (paper or digital). For instance, entry to PHI have to be restricted to workers performing plan administration features; the PHI should not be used for employment-related functions; separation have to be maintained between workers with entry to PHI and different workers; and numerous administrative safeguards have to be adopted.

For extra info, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XXIII.C (“Sharing PHI and Digital PHI With Plan Sponsors”), XXIX (“Safety Necessities: Common Ideas”), and XXX.D (“Core Safety Necessities: Technical Safeguards”).

Contributing Editors: EBIA Workers.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments