The Department of Health and Human Services Office for Civil Rights released its Summer 2021 cybersecurity update to provide guidance to healthcare organizations and stressing the importance of HIPAA ePHI security. They made it clear that ePHI, or electronic protected health information, has never been at greater risk as cybersecurity incidents have skyrocketed. A recent security report conducted by Verizon determined that 61% of healthcare data breaches were perpetrated by external threat actors, while 39% were by insiders. The HHS took this into consideration when drafting its guidance, providing recommendations for preventing external and internal breaches.
As defined in the HIPAA regulations, there is a subtle distinction between Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). PHI is any information that can be used to identify a patient. Anything related to health, treatment or billing that identifies a patient is PHI. ePHI is any information that can be used to identify a patient and is in electronic form, such as a digital copy of a psychological test report.
HHS Recommendations on Improving HIPAA ePHI Security
There were two overarching themes in the HHS cybersecurity announcement: 1. the requirements to implement Information Access Management and 2. the requirements to establish Access Controls.
Information Access Management
The HIPAA Privacy Rule requires healthcare organizations to implement policies and procedures for authorizing access to ePHI. To comply with the Information Access Management standard, organizations must implement policies and procedures for granting employee access to ePHI, limiting access to data based on employee job roles. This standard also requires healthcare organizations to have policies and procedures in place to increase or revoke ePHI access when an employee’s job role changes.
The HIPAA Security Rule requires healthcare organizations to implement “access control mechanisms” to prevent unauthorized access to ePHI. The HHS cybersecurity newsletter provides examples of what access controls may be appropriate, “access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate.” The Access Control standard requires four implementation specifications for limiting ePHI access, including Unique User Identification, Emergency Access Procedure, Automatic Logoff, and Encryption and Decryption.
- Unique User Identification: requires each employee to have unique login credentials to access ePHI. This is particularly important in detecting insider breaches. When employees share login credentials, it can be impossible to determine which employee is accessing ePHI without the need to do so.
- Emergency Access Procedure: requires healthcare organizations to have procedures in place for when ePHI access may be limited. The HHS provides the following example, “due to the recent COVID-19 public health emergency; many organizations quickly implemented mass telework policies. How workforce members can securely access HIPAA ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures.”
- Automatic Logoff: to prevent unauthorized access to ePHI, it is important to implement automatic logoff procedures. The HHS states, “Failure to implement automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI, but it also impedes an organization’s ability to properly investigate such unauthorized access because it would appear to originate from an authorized user.”
- Encryption and Decryption: prevents unauthorized access to ePHI by masking sensitive data. The HHS states that when organizations implement encryption standards in line with NIST 800 specifications, ePHI is not considered unsecured and therefore is not subject to the Breach Notification Rule.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!