DRAFT HIPAA Security Standard - Secure Research Cloud

Owned by Eric Zematis
Nov 05, 2024
3 min read

Description:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes a set of national standards for the protection of individually identifiable health information, known as Protected Health Information (PHI). The HIPAA Security Rule specifically addresses the security of electronic PHI (ePHI).

Scope:

This standard applies to the Secure Research Cloud (SRC) environment where ePHI may be stored, processed, or transmitted. This environment is an enclave environment where sensitive research is designed to be conducted with only defined movement of data into and out of the environment.

Security Requirements:

The HIPAA Security Rule requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. These safeguards include:

  • Administrative Safeguards: Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures. Examples include security awareness training, risk analysis, and contingency planning.

  • Physical Safeguards: Measures to protect electronic systems, equipment, and the data they hold, from unauthorized access, damage, or theft. Examples include facility access controls, workstation security, and device and media controls.

  • Technical Safeguards: Automated processes used to protect data and control access to ePHI. Examples include access controls, audit controls, and encryption.

Implementation:

Covered entities must conduct a risk analysis to identify potential threats and vulnerabilities to ePHI and implement appropriate security measures to address those risks. Security measures should be documented and reviewed periodically to ensure their effectiveness.

Specific Requirements:

  • Access Control: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized individuals.

  • Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

  • Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

  • Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

  • Transmission Security: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Additional Considerations:

  • Mobile Devices: If mobile devices are used to access or store ePHI, appropriate security measures must be implemented, such as encryption, password protection, and remote wipe capabilities.

  • Cloud Storage: If ePHI is stored in the cloud, ensure that the cloud provider meets HIPAA security requirements and that a Business Associate Agreement (BAA) is in place.

  • Data Disposal: When disposing of electronic media that contains ePHI, ensure that the data is properly sanitized or destroyed to prevent unauthorized access.

Enforcement:

The HIPAA Security Rule is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). OCR has the authority to investigate complaints and impose penalties for violations of the HIPAA Security Rule.

Related:

  • HIPAA Security Rule

  • NIST Cybersecurity Framework

  • HHS Office for Civil Rights (OCR)

Definitions:

  • Covered Entity: A health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

  • Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium, including electronic, paper, or oral.

  • Electronic Protected Health Information (ePHI): PHI that is transmitted or maintained in electronic media.

Revision History:

  • Date: [Insert Date]

  • Version: 1.0

  • Description: Original Document Draft

  • Approval: [Insert Approving Authority]