Technical Safeguards is the third section of the HHS Security Matrix that focuses on policies and procedures an organization has in place to protect patient data through technology solutions. The Security Rule is based on the fundamental concepts of flexibility, scalability, and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified. The Rule allows a covered entity to use any security measures that allows it reasonably and appropriately to implement the standards and implementation specifications. A covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.
Access Control 45 CFR § 164.312(a)(1) Access can be defined as the ability or the means necessary to read, write, modify, or communicate data/information. Access controls provide users with the rights to access ePHI to perform their job functions. It is important to note that all users must only have access to the level required to do their job, also known as minimum necessary.
Unique User Identification 45 CFR § 164.312(a)(2)(i) User identification is a way to identify a specific user, typically by name and/or number. A unique user identifier allows an entity to track user activity when that user is logged into an information system. It enables an entity to hold users accountable for functions performed on information systems with ePHI when logged into those systems. All users must have a separate username and password so the audit logs will monitor the activity accurately.
Emergency Access Procedure 45 CFR § 164.312(a)(2)(ii) These documented procedures are instructions and operational practices for obtaining access to ePHI during an emergency situation. Access controls are necessary under emergency conditions, although they may be very different from those used in normal operational circumstances. Covered entities must determine the types of situations that would require emergency access to an information system or application that contains ePHI. Procedures must be established in advance to instruct employees on possible ways to gain access to needed ePHI.
Automatic Logoff 45 CFR § 164.312(a)(2)(iii) Users should logoff the system they are working on before they walk away and leave it unattended. However, there will be times when workers may not have the time, or will not remember, to log off. Automatic logoff is an effective way to prevent unauthorized users from accessing ePHI if the workstation is unattended.
Encryption and Decryption 45 CFR § 164.312(a)(2)(iv) Encryption is a method of converting an original message of regular text into encoded text. If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt the text and be able to read it.
Audit Controls 45 CFR § 164.312(b) Most information systems have some level of audit controls with a reporting method. For instance, EHR’s have reports a user can download and monitor for abnormal behavior. If your EHR does not utilize user friendly reports it may be necessary to include hardware, software, and/or other mechanisms to record and examine your information system such as adding domain controller, a business class firewall device, or specialized software to track access to the network. It is important to point out that the Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed. A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use ePHI.
Let Aris work with you for an easy online path to HIPAA compliance