HIPAA Compliance Development | The HIPAA Safeguards and De-Identification Standard
In the first part we have seen what information should be safeguarded and who is covered under HIPAA. This second installment focuses on one of the most important bits - The HIPAA Safeguards and De-Identification standards.
The HIPAA Security Rule
HIPAA security rule is a subset of the privacy rule, which explicitly deals with the individually identifiable health information transmitted electronically. The Security Rule calls this information "electronic protected health information" (e-PHI)
It outlines the security standard to protect the e-PHI data created, maintained or used by the covered entity. This rule requires information to be safeguarded to ensure the protection and integrity of the e-PHI data. As this is just an overview , it won't cover every detail of the security rule.
- Administrative Safeguard
- Technical Safeguard
- Physical Safeguard
It defines the administrative procedures and policies that the covered entities and their business associates must put in place to protect the confidentiality, integrity, and availability of e-PHI. This includes workforce training, security audits, sanction policy, BAA, risk analysis, and risk management.
Security Management Process
- Conduct risk analysis at regular intervals to identify the potential risks and vulnerabilities. Implements the security measures, enough to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Implements procedures to regularly review the Information system’s audit logs, access logs and incident reports. Have a sanction policy against workforce who fail to comply with the security policies and procedures of the covered entity.
Information Access Management and Contingency Plan
- Implement procedures and policies to define the user/workstation rights to create, modify, and access e-PHI data. The covered entity is responsible for providing and revoking the access, and maintaining the logs of such actions.
- Establish policies and procedures to handle e-PHI in emergency situations for business continuation, this include data recovery, data backup policies.
Workforce Security, Training and Others
- A security official should be appointed who is responsible for ensuring all the procedures and policies are followed by the covered entity.
- Proper periodic training of the individuals that includes security reminders, password management policies, procedures for monitoring log-in attempts, software installation policies, protection from malicious software etc.
- A covered entity needs to have Business Associate Agreement(BAA) with all the partners who have access to and handle the e-PHI data.
It outlines how your information technology systems should be designed and managed to protect e-PHI data.
- Each user should have a unique user identification information across all the systems. This helps in tracking user activity in e-PHI systems.
- An emergency e-PHI access procedure should be in place to avoid unauthorized access during an emergency. Systems should invalidate the user session if the user is inactive for a predefined period of time.
- Encryption and decryption mechanisms should be in place which guarantees encryption in rest. Authorized applications/users should be able to decrypt the e-PHI data.
- Proper security measures should be in place to avoid improper modification during transmission of data between systems. This should guarantee encryption at transmission.
- Implement end to end encryption for PHI data transmission. Eg: TLS
Audit, Integrity and Others
- Need to have hardware and software mechanisms implemented which can record and examine the activity in information systems that contain or use e-PHI data.
- Need to have proper policies and procedures to prevent improper modification of the e-PHI data, which safeguards the integrity.
Physical safeguard deals with policies and procedures to protect e-PHI in regards to hardware systems involved, protecting from natural and environmental hazards, and unauthorized intrusion/theft.
This applies to the cloud provider we use, all the physical devices that have access to the e-PHI data, and all workstations of the workforce. Most of them are handled by the hosting services like aws, azure, etc. Physical devices and workstation security should be handled by the internal process and procedures around who can access the e-PHI.
Facility Access Controls
- This mostly applies to the hosting/cloud provider. Policies and procedures should be in place about the e-PHI data access in cases of emergency. This concentrates on the physical facilities access rather than software access.
- Implement procedures to control and validate an individual access to facilities based on role or function to avoid unauthorized access or theft.
- Implement policies to document repair and maintenance of the physical components which are related to security such as doors, alarms etc.
Device and Media Controls
- Implement policies and procedures about handling of device disposals and device data backup which has access to e-PHI.
- Implement procedures to remove e-PHI from e-media before reusing/exposing the device/media.
Workstation Use and Security
- Workstations are nothing but laptops, desktop computers, and devices that have similar functionality that stores or access e-PHI in their environment.
- Covered entities should specify functions that can be performed on workstations and implement security measures to provide physical access to the workstations only for the authorized users.
Some of the safeguards are “required” and others are “addressable”, required ones must be implemented. If you have any minor doubt, implement both required and addressable. Most of them will be covered by following a good system design and architecture as most of them are best practices to be followed. Please check the link for more information about safeguards.
De-Identification and its Rationale
With increased focus on the digitization of the health data and medical research, the PHI data has to be exposed to third parties for research, analytics, comparative effectiveness studies etc. To mitigate the possibility of privacy risk of such data, we need a de-identification standard.
De-identification is the process of removing or obscuring personal identifiers from health data so that it cannot be associated with an individual. De-identification doesn’t make the data completely anonymous, we need to re-identity the data when required.
- Expert Determination method
- Safe Harbor method
Expert Determination Method
This method involves an expert , typically in generally accepted statistical and scientific principles and methods.
The expert will follow a series of steps to identity the risk of identification:
- Review: The expert will evaluate to what extent the health data can be associated with an individual. Software tools or manual methods can be used to identify the personal identifying information
- Removal and Masking: The expert will coordinate with the data manager to decide on the methods - statistical or scientific - which will be applied to the health data and apply the decided method.
- Review: After the application of the Removal and Masking step , the data set is reviewed again for the potential risk and to make sure the data is useful for the intended purpose after removal and masking step. The expert will confirm the risk is very small when disclosed to the anticipated recipients.
- Documentation: The expert will document every action performed in the process and every software tool used for the purpose. This document can be provided to the auditors if any compliance issues occur.
Safe Harbor Method
The safe harbor method is straightforward than that of expert determinations. It proposes to remove certain defined identifiers from the data set so that it won't be covered under HIPAA. Once de-identified, the data can be shared or used by anyone without any restrictions.
Some examples of Identifiers:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death etc.
- Electronic mail addresses
- Account numbers
- Internet Protocol (IP) address numbers
- Biometric identifiers, including fingerprints and voiceprints
- Full-face photographic images and any comparable images
The full list of the identifiers can be found under the safe harbor section here. Once the health data is de-identified by any of the above mentioned methods, the data will no longer be covered under HIPAA and can be freely used by any interested parties.
The knowledge and details shared in this article are based on Fission Labs' 10+years of experience in delivering digital healthcare products. We are in no way promoting ourselves to be subject matter experts in HIPAA compliance and/or related topics. Nothing in this article should be considered as or should constitute legal advice.
Content Credit: Samarendra Kandala