HHS Stresses HIPAA ePHI Security: Information Access Management & Access Control

MARLENE MAHEU

July 29, 2021 | Reading Time: 3 Minutes

 430

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

The Department of Health and Human Services Office for Civil Rights released its Summer 2021 cybersecurity update to provide guidance to healthcare organizations and stressing the importance of HIPAA ePHI security. They made it clear that ePHI, or electronic protected health information, has never been at greater risk as cybersecurity incidents have skyrocketed. A recent security report conducted by Verizon determined that 61% of healthcare data breaches were perpetrated by external threat actors, while 39% were by insiders. The HHS took this into consideration when drafting its guidance, providing recommendations for preventing external and internal breaches.

As defined in the HIPAA regulations, there is a subtle distinction between Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). PHI is any information that can be used to identify a patient. Anything related to health, treatment or billing that identifies a patient is PHI. ePHI is any information that can be used to identify a patient and is in electronic form, such as a digital copy of a psychological test report.

HHS Recommendations on Improving HIPAA ePHI Security

There were two overarching themes in the HHS cybersecurity announcement: 1. the requirements to implement Information Access Management and 2. the requirements to establish Access Controls.

Information Access Management

The HIPAA Privacy Rule requires healthcare organizations to implement policies and procedures for authorizing access to ePHI. To comply with the Information Access Management standard, organizations must implement policies and procedures for granting employee access to ePHI, limiting access to data based on employee job roles. This standard also requires healthcare organizations to have policies and procedures in place to increase or revoke ePHI access when an employee’s job role changes.

Access Controls

The HIPAA Security Rule requires healthcare organizations to implement “access control mechanisms” to prevent unauthorized access to ePHI. The HHS cybersecurity newsletter provides examples of what access controls may be appropriate, “access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate.” The Access Control standard requires four implementation specifications for limiting ePHI access, including Unique User Identification, Emergency Access Procedure, Automatic Logoff, and Encryption and Decryption.

Unique User Identification: requires each employee to have unique login credentials to access ePHI. This is particularly important in detecting insider breaches. When employees share login credentials, it can be impossible to determine which employee is accessing ePHI without the need to do so.
Emergency Access Procedure: requires healthcare organizations to have procedures in place for when ePHI access may be limited. The HHS provides the following example, “due to the recent COVID-19 public health emergency; many organizations quickly implemented mass telework policies. How workforce members can securely access HIPAA ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures.”
Automatic Logoff: to prevent unauthorized access to ePHI, it is important to implement automatic logoff procedures. The HHS states, “Failure to implement automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI, but it also impedes an organization’s ability to properly investigate such unauthorized access because it would appear to originate from an authorized user.”
Encryption and Decryption: prevents unauthorized access to ePHI by masking sensitive data. The HHS states that when organizations implement encryption standards in line with NIST 800 specifications, ePHI is not considered unsecured and therefore is not subject to the Breach Notification Rule.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.