HIPAA Compliance: HIPAA Security Rule Compliance and the IBM i
While it’s difficult to cover everything about implementing Health Insurance Portability and Accountability Act (HIPAA) compliance in a single blog, we can slice up sections of HIPAA compliance and discuss how they can be carried out in an IBM i environment. Today, let’s look at HIPAA’s Security Rule and see how it’s requirements can be used to protect Electronic Protected Health Information (e-PHI) on an IBM i.
What is the HIPAA Security Rule?
Title II of the Health Insurance Portability and Accountability Act of 1996 covers Administrative Simplification (AS) provisions. AS requires the establishment of national standards for electronic health care transactions, as well as providing national identifiers that cover different entities in the health care system
For IBM i compliance, it’s those national standards we’re interested in, particularly the standards regarding e-PHI. Standards created under the AS provisions are intended to increase health care system efficiency for the use and dissemination of health-care information.
HIPAA’s Title II does this by offering these five rules for compliance:
- The Privacy Rule, which regulates the use and disclosure of e-PHI data held by “covered entities.”
- The Transactions and Code Sets Rule, which requires all health care plans to use standardized HIPAA transactions, including EDI transmissions.
- The Security Rule compliments the Privacy Rule and describes three different types of security standards for e-PHI protection: administrative safeguards, physical safeguards, and technical safeguards. It also requires covered entities to perform risk analysis as part of their security management process.
- The Unique Identifiers rule, which states that electronic transactions must only use the National Provider Identifier (NPI) to identify covered healthcare providers.
- The Enforcement Rule, which sets standards for investigations, hearings, and civil monetary penalties for HIPAA violations.
For our purposes, we’ll focus on the Security Rule which deals specifically with Electronic Protected Health Information.
What the Security Rule covers?
The HIPAA Security Rule is highly technical. It establishes a national set of standards for protecting health information that is held or transmitted in electronic form. According to the US Department of Health and Human Services (HHS), the Security Rule provides standards that include the following areas:
- Risk Analysis and Management
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
When the e-PHI data resides on an IBM i system, those standards can be addressed by specific IBM i software types and services, that are included in this post, where appropriate. Here’s a quick overview of some of the items covered by each Security Rule area.
Risk Analysis and Management
Covered entities must perform risk analysis and management as part of their security management processes. It helps determine which policies and procedures (P&P) are “reasonable and appropriate” for covered entities. Risk analysis and management also informs and affects the implementation of all the other safeguards covered by the Security Rule. Per HHS, risk analysis should be an ongoing process that covers the following areas:
- Evaluating the likelihood and potential risks to e-PHI (analysis).
- Implementing security measures to address those risks (implementation);
- Documenting the chosen security measures, as well as the reasoning behind adopting those measures (documentation).
- Maintaining security protections in a continuous, reasonable, and appropriate manner (maintenance)
- Regularly reviewing records to track e-PHI access; detect security incidents; evaluate how effective your security measures are; and reevaluate potential risks (auditing).
Administrative safeguards cover the administrative security policies and procedures in place and how well they adhere to the Security Rule. These standards include:
- Security Management Process – How covered entities identify and analyze risks and how they implement security measures that reduce those risks.
- Security Personnel – Covered entities must have a defined “security official” who is responsible for designing and implementing security policies and procedures.
- Information Access Management – Implemented policies and procedures for authorizing access to e-PHI data, as appropriate and based on the user’s role (role-based access).
- Workforce Training and Management – Authorization, supervision, training, and enforcement of all security policies and procedures.
- Evaluation – Periodic reviews and assessments of how well security policies and procedures meet Security Rule requirements.
Physical safeguard policies and procedures that protect access to e-PHI data must include:
- Facility Access and Control – Limiting physical access to facilities while allowing access for authorized users.
- Workstation and Device Security – Policies and procedures covering proper use and access to workstations and electronic media. It also includes P&P for transferring, removing, re-using, and disposing of electronic media.
Technical safeguards refer to policies and procedures to insure that the technical, hardware, and software infrastructure for covered entities protects e-PHI, including:
- Access controls – P&P that allow only authorized persons to access e-PHI. On an IBM I, exit point monitoring and intrusion prevention programs such as iSecurity Firewall can control access from external sources and help control what users can do once they get access.
- Audit controls – Hardware, software, and procedural mechanisms that record and examine access and activity in systems containing or using e-PHI. Vendor programs such as SEA’s iSecurity Audit can help IBM i shops audit activity, provide audit reports, and trigger alerts when suspicious activity is detected. IBM i data can also be integrated with an enterprise Security Enterprise Information System (SEIM) by using a product such as iSecurity Syslog to include IBM i e-PHI data in network-wide reporting.
- Integrity controls – P&P that prevent and insure that e-PHI data has not been improperly altered or destroyed. Many vendors offer IBM field level change products such as SEA’s iSecurity AP Journal that allow you to set triggers for real-time updates when sensitive database information is accessed or changed.
- Transmission security – Technical security measures that guard against unauthorized access to e-PHI data that is transmitted over an “electronic network”. IBM i encryption using a product such as absCompress, is a popular way of ensuring transmission security for IBM i-based e-PHI data.
3 Tips for IBM i HIPAA Security Rule Implementation
Today’s blog is just an overview for IBM i compliance with the HIPAA Security Rule Here are three additional tips for ensuring your IBM i e-PHI data is compliant with the HIPAA Security Rule and other aspects of HIPAA compliance.
First, get a security compliance audit. Many vendors offer IBM i compliance evaluation services, such as SEA’s iSecurity Compliance Evaluator. These evaluations can be used both while you’re planning HIPAA compliance activities and for the regular reviews of e-PHI activities that are required by the Security Rule’s Risk analysis and management function.
Second, don’t DIY your HIPAA compliance. Use professional software. Writing your own HIPAA compliance software is time-consuming and it takes away your most valuable resource (application developers) from developing revenue-enhancing software for your business. As shown above, there are many different third-party applications that can help you satisfy Security Rule requirements. Maximize your programmers’ time by taking advantage of existing products that are updated on a regular basis.
Finally, partner with a professional that has experience with IBM i HIPAA compliance. HIPAA has significant requirements that are easier to navigate by using professionals who know the health-care landscape. Feel free to contact us at SEA Software for advice and recommendations on helping you achieve your HIPAA goals.