PARTNERS HUMAN RESEARCH COMMITTEE

Partners_Logo

 

HIPAA Security Rule (6.22.05)

What is the HIPAA Security Rule?

The Health Insurance Portability and Accountability Act (HIPAA) mandated the creation and implementation of the Privacy Rule and the Security Rule. These Rules are separate but related. The Privacy Rule went into effect in April 2003 and addresses privacy protections of protected health information (PHI). The Security went into effect April 2005 and addresses specific safeguards for electronic PHI.

To what information/data does the HIPAA Security Rule apply?

The HIPAA Security Rule can be viewed as an extension of the HIPAA Privacy rule. The security rule mandates that we secure and protect patient privacy as it relates to all forms of electronic protected health information (ePHI).

The following 18 identifiable elements define what constitutes Protected Health Information (PHI) electronic or not:

  • Names;
  • All elements of dates (except year) for dates directly related to an individual, including:
              birth date
              admission date
              date of procedure
              discharge date
              date of death
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images;
  • All geographic subdivisions smaller than a State, including:
              street address
              city
              county
              precinct

              zip code, and their equivalent geocodes
  • Any other unique identifying number, characteristic or code (e.g., pathology accession numbers, etc.)

What are the standards for compliance with the HIPAA Security Rule?

The standards for protecting ePHI are divided into three categories: Administrative, Physical, and Technical and require that policies and procedures on all three are clearly documented, regularly reviewed, and periodically updated. The level of risk (low, intermediate, high) as determined by your assessment for each system will help determine which controls from each of the three categories you employ.

Administrative standards:

Include but are not limited to completing a risk assessment, setting policies, procedures and training on controlling access to and protecting ePHI, conducting periodic security audits, completing Business Associate Agreements in situations where ePHI will be shared outside the Partners Network, and appointing an office/lab security officer to monitor standards.

Physical standards:

Include but are not limited to setting controls on physical access to buildings, offices, labs and devices that house ePHI, setting policies on transfer and back-up of ePHI and the secure disposal of devices that housed ePHI (e.g., hard drives), and developing a system to document the maintenance of computer systems, facility locks, and data closets.

Technical standards:

Include but are not limited to securing the network, servers, desktop computers, laptops, portable devices (e.g. Palm Pilot), and removable media (e.g. diskettes, CD’s, thumbdrives), securing electronic transfer of data (e.g. email, PGP, SFTP), setting automatic logoff for devices, assigning unique usernames and passwords for each user, and automatic auditing and logging of system access.

For more detailed information on the Administrative, Physical and Technical standards, go HERE. (download in .pdf format)

What are some immediate steps you can take to secure ePHI?

Here are some suggestions to get started. For more detailed information on how to comply with the Administrative, Physical, and Technical standards, go HERE. (download in .pdf format)

1. Avoid a shared folder environment on your server where all folders are open to all users. Manage permissions using local users and groups and assure that all users have their own secure usernames and passwords.

2. When you view data through a web browser, some of that data will remain on your hard drive in a temporary folder. Clear your web browser temporary files after accessing data via a web application. Learn how HERE.

3. Follow good password practices:

a. Password protect all devices: servers, desktops, portables, removable media (e.g. thumbdrive)

b. Create secure passwords: 6-8 characters with at least one capital letter and one digit.

c. Protect your passwords. Don’t share them or post them next to the machines to which they belong.

d. Use a unique password for each machine and for each user.

4. For non-Partners build servers, desktops, and laptops:

a. Secure new devices before connecting to the Network by applying all security patches and installing anti-virus software. Do the same to keep existing desktops, laptops, and servers secure. Visit Partners Research Computing website HERE for PC information and HERE for Mac information, or call the Help Desk and request that a tech stop by to assist you.

b. Request Partners Information Security to do a vulnerability scan on your servers; this is quick, free and will identify potential security risks and how to mitigate them.

c. Install anti-virus software, set it for auto-update and for scheduled scans. Visit Partners Research Computing website HERE for information.

d. Install and run anti-spyware software regularly as you would anti-virus software. Visit Partners Research Computing website HERE for information.

e. Non-Partners build PC’s and Macs do not have the built-in screensaver timeout feature that Partners PC’s have. Always logout and clear the browser cache before walking away from a non-Partners build PC or Mac after viewing ePHI. Configure a password enabled screensaver on non-Partners build PC’s and Macs that host or are used to view ePHI; this may not be possible in all instances. For directions on how to configure a password enabled screensaver for the Mac, go HERE.. For a PCs, go HERE (PHS internal only links).

5. For E-mail guidelines see the Partners policy 'Safeguarding Electronic Communications' (this includes information on fax, e-mail, pagers, etc.) (PHS internal only link).

6. Securely dispose of all devices that housed ePHI (PC’s, Macs, servers, hard drives, other removable media). For more information see the webpage 'Computer Disposal' (PHS internal only link)