Guidelines for HIPAA Security Rule Compliance
University of California

1. INTRODUCTION :

This document is intended to assist UC campus and medical center directors and managers to determine the implementation of practices to achieve compliance with the HIPAA Security Rule. Recommendations are consistent with UC IT security policy and generally accepted information security practices. Security Rule standards and specifications are referenced for each recommendation.

This guidance seeks to establish the minimally acceptable practices necessary to comply with both addressable and required standards of the HIPAA Security Rule. The HIPAA standards are intended by the federal government to be both flexible and scalable for large sophisticated users and small operations. Since the University is a large and diverse covered entity, it is not possible to make assumptions about systems which may range from a laptop to a mainframe, from a small branch of student health services to a major medical center. Even some very complex hospital systems are legacies from an earlier era in which current security concerns were not considered. These legacy systems may not be able to meet all current security standards and alternative approaches will need to be implemented. This guidance aims to encompass the diversity at UC while at the same time to establish high standards for the protection of sensitive information.

2. UNIVERSITY POLICY

University policy specifically defines how confidential information should be managed and these recommendations are in agreement with HIPAA since both policy statements are based on the same generally accepted information security principles (GAISP). Business and Finance Bulletin IS-3, Electronic Information Security establishes broad guidelines for University compliance with federal and state law, and includes standard professional information technology security recommendations. The provisions in BFB IS-3 address the general policy requirements specified by HIPAA. IS-3 does not contain specific procedural recommendations; these must be determined individually by each campus implementation.

Access to protected data is governed by state and federal laws, both in terms protection of and disclosure of data about individuals. For discussion of what constitutes personal data, see BFB RMP-8, Privacy and Access to Information about Individuals.

The Electronic Communications Policy (ECP) clarifies the principles of academic freedom, shared governance, freedom of speech, and privacy as they relate to electronic communications. The ECP establishes a high standard for the nonconsensual access to individual's electronic communications and requires that each campus establish implementation guidelines to ensure compliance with its provisions.

3. HIPAA SECURITY RULE

In April 2003 the University completed a major effort to achieve compliance with the Privacy Rule (45 CFR Parts 160 and 164) implementing the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The focus of the Privacy Rule was the management of protected health information (PHI).

By April 20, 2005 all covered entities must be compliant with the Security Rule (45 CFR Parts 160, 162 and 164). The Security Rule covers electronic creation, transfer, storage and receipt of PHI (ePHI) and was issued in its final form in April 2003.

The University is considered a hybrid covered entity under this regulation, which essentially means that as an organization the University is involved in health care along with other completely separate functions.

HIPAA defines electronic protected health information (ePHI) as any electronic information that is created or received by a health care provider that relates to the past, present, or future physical or mental health of an individual and that identifies the individual. The definition of PHI in the Privacy and Security Rule excludes education records covered by FERPA and employment records held by UC in its role as employer

Implementation specifications are required or addressable . A covered entity must implement the required implementation specifications. For addressable implementation specifications, the following options are available:

1. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information;
2. As applicable to the entity

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate

(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

(2) Implement an equivalent alternative measure if reasonable and appropriate.

References to standards and specification in the following recommendations will indicate if the specification is required (R) or addressable (A).

HIPAA requires that a security official be assigned responsibility for HIPAA security implementation. On February 7, 2005 Sr Vice President Mullinix requested that campuses, laboratories, and hospitals appoint a HIPAA Security Officer. This individual should work closely with the systemwide taskforce under the direction of the designated University's HIPAA Privacy and Security officer to ensure consistent compliance for the University ( § 164.308.a.2).

Every covered entity (campus and medical center) must implement policies and procedures to prevent, detect, contain, and correct security violations (§164.308.a.1). Every covered entity must oversee a survey of all uses and locations of ePHI and make recommendations to preserve its confidentiality, integrity and availability. Every campus will establish a clear process for reporting of suspected security incidents, and for incident handling, including documentation, determination of notification requirements, remediation, and reporting to management ( § 164.308.a.6)(R).

See Appendix A for the complete list of HIPAA Security Rule standards and implementation specifications.

4. recommended practices

Index of Topics

The following list identifies all the practices that should be implemented. Section 5, Considerations for Technical Solutions, provides discussion regarding selected technical solutions.

•  Workforce Identity and Account Management

•  Information Management

•  Continuity Planning and Disaster Recovery

•  Electronic Mail

•  Data Centers

•  Remote Access

•  Information for Users

A. Workforce Identity and Account Management

1. Determine which individuals are authorized to work with ePHI in accordance with a role-based access approach ( § 164.308.a.3)(A).
2. Establish security training for all members of the UC workforce who are involved in the creation, transmission, and storage of ePHI. Ensure that training program includes periodic security reminders and is updated to take into account current vulnerabilities and threats. ( § 164.308.a.5)(A).
3. Take disciplinary action in accordance with University personnel policies and guidelines on workforce members who fail to comply with University policy and procedures, including information security policy and procedures. (See Personnel Policies for UC Staff Members.) ( § 164.308.a.1)( R).
4. Ensure the verification of the individual or entity who is authorized to access ePHI and that the identity is correctly bound to a unique user identification ("sign-on") for access to ePHI ( § 164.308.a.4)(A) ( § 164.312.a.1)(R) ( § 164.312.d).
5. Ensure appropriate access controls mechanisms for authorized users' access to any ePHI. For systems with the capability, require strong electronic authentication, such as sufficiently complex passwords or use of other encryption key mechanisms to access systems containing ePHI ( § 164.308.a.5)(A).
6. Establish account maintenance procedures that ensure termination of accounts or change in access privileges for individuals or entities who have terminated or no longer are authorized to access ePHI ( § 164.308.a.4)(A).
7. Carefully manage system administrator accounts to ensure the accounts are used for only specific system administration functions. The number of these accounts should be kept to a minimum and provided only to personnel authorized to perform identified functions. Passwords or other authentication measures should be changed upon the termination of systems personnel who accessed these accounts.
8. Log activities performed by system administrator accounts and monitor logs on a regular basis ( § 164.308.a.1)( R) ( § 164.308.a.5)(A).

•  Information Management

1. Identify relevant information systems ( § 164.308.a.1)(R).
2. Ensure that agreements with third parties contain language that University ePHI receive appropriate safeguards ( § 164.308.b.1)(R Identify relevant information systems ( § 164.308.a.1)(R).
3. Conduct risk assessments to identify the electronic information resources that require protection, and to understand and document risks from security failures that may cause loss of confidentiality, integrity, or availability. Risk assessments should take into account the potential adverse impact on the University's reputation, operations, and assets ( § 164.308.a.1)( R). Risk assessments should include analysis of scenarios that may result in modification of ePHI by unauthorized sources ( § 164.312.c.1)(A).
4. Select appropriate mechanisms to safeguard data relative to the sensitivity or criticality determined by the risk assessment ( § 164.308.a.1)(R). Procedures should address risks to integrity of ePHI resulting from unauthorized access ( § 164.312.c.1)(A).

•  Systems containing ePHI need to be hardened against known operating system vulnerabilities.

•  Where appropriate, install firewalls and intrusion detection software to reduce threat of unauthorized remote access ( § 164.308.a.5)(A).

•  Protect sensitive data with appropriate strategies, such as removal of restricted data from data sets (de-identification), secure file transfer, and use of web browser security standards, virtual private networks, and encryption ( § 164.312.a.1)(A).

•  Protect all devices against malicious software, such as computer viruses, Trojan horses, spyware, etc. ( § 164.308.a.5)(A).

•  Use change management practices for systems containing ePHI.

•  Run versions of operating system and application software for which security patches are made available and installed in a timely manner on networked devices.

1. Implement procedures to ensure regular review of log-in attempts and system activity, including the report of discrepancies ( § 164.308.a.1)( R) ( § 164.308.a.5)(A).
2. Where possible, terminate electronic sessions after a period of inactivity ( § 164.312.a.1)(A).
3. Thoroughly scrub all ePHI from any storage media prior to disposal or re-use ( § 164.310.d.1)(R).
4. Implement appropriate logical security measures, such as encryption, to protect data from unauthorized access if systems or work-stations containing ePHI cannot be housed in a professionally-managed secure location, i.e., data centers ( § 164.312.e.2)(A).
5. Conduct back up of data and software on an established schedule. Back up copies should be stored in a physically separate location from the data source ( § 164.308.a.7)( R).

•  Continuity Planning and Disaster Recovery

1. Ensure that business continuity planning includes measures to enable continuation of critical business processes while operating in emergency mode and to recover from a disaster that renders resources unavailable for an acceptable period of time. Disaster recovery plans must be tested on a periodic basis or in response to major changes to the working environment ( § 164.308.a.7)( R).
2. Continuity plans must undergo periodic testing and revised as appropriate ( § 164.308.a.7)( A).
3. Establish procedures to ensure that ePHI can be accessed during an emergency ( § 164.312.a.2)(R).

•  Electronic Mail

1. Educate staff about the risks of email and adopt programs to educate staff regarding appropriate use of email.
2. All confidential email must be sent via secure channels.
3. Alert patients to the risks of unsecured email.
4. Consider alternative secure email/web messaging solutions for direct patient communication ( § 164.312.e.1)(A).
5. Whenever deemed necessary and possible encrypt transmissions containing ePHI ( § 164.312.e.1)(A).

•  Data Centers

1. Data centers that contain ePHI should be located in professionally-managed secure locations that have provisions for prevention, detection, early warning of, and recovery from emergency conditions created by earthquake, fire, water leakage or flooding, power disruption, air conditioning failures, or other hazards ( § 164.310.a.1)(A).
2. These secure locations must have physical access controls, such as locks, electronic key readers, or other access control mechanisms ( § 164.310.a.1)(A).
3. Record any maintenance repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks ( § 164.310.a.1)(A).
4. Record relocation of hardware and electronic media. Assign responsibility for maintaining records of hardware and software ( § 164.310.d.1)(A).
5. Limit access to secure locations to authorized users only, and maintain logs to track ingress and egress from location ( § 164.310.a.1)(A).
6. Ensure back up of data before the relocation of equipment ( § 164.310.d.1)(A).

•  Remote Access

1. All remote access into UC networks must be by secure methods only, such as authorized VPNs ( § 164.312.e.1)(A).
2. Storage of ePHI on any non university equipment is forbidden unless formal exemption granted following assessment of the risks.
3. Since laptops can never be adequately secured physically the best protection is encryption which would render the laptop contents undecipherable to unauthorized users ( § 164.312.e.1)(A)..

•  Information for Users

1. All members of the UC workforce who are involved in the creation, transmission and storage of ePHI must receive training about the HIPAA security rule.
2. Access to ePHI is limited to those individuals for whom it is an authorized work related requirement.
3. You may be subject to disciplinary action in accordance with University personnel policies and guidelines on workforce members who fail to comply with departmental security policy and procedures. In other words misuse or unauthorized access of ePHI may be subject to sanction and disciplinary actions.
4. You must use a sufficiently complex passwords to access systems containing ePHI. This password must never be shared. Passwords should be developed in accordance to policies set forth by your campus information technology (IT) services.
5. You must run versions of operating system(s) and application software for which security patches are made available and installed in a timely manner.
6. All devices must be protected against malicious software, such as computer viruses, Trojan horses, spyware, etc. Where appropriate, install firewalls and intrusion detection software to reduce threat of unauthorized remote access. This includes servers, workstations. Laptops, tablets, PDAs, smart phones, etc.must be backed up to secure servers if they contain ePHI.
7. Portable devices, such as laptops, if they contain ePHI should be password protected or encrypted, and other logical controls installed, since they cannot be physically secured.
8. All devices which contain ePHI must be backed up on an established schedule.
9. You must secure, maintain and when necessary dispose of all removable electronic media that may contain ePHI according to established procedures. This includes tape drives, tapes, portable hard drives, CD-ROMs, DVDs, floppy disks, USB and flash memory cards.
10. Whenever deemed possible encrypt electronic transmissions containing EPHI (such as email containing ePHI). If encryption is not available, consider email a public document.

5. CONSIDERATIONS FOR TECHNICAL SOLUTIONS

These recommendations are meant to address individual HIPAA standards in which technical solutions are indicated. They are not considered comprehensive responses to the rule and in fact given the very wide range of activities included in the University's covered entity it is not prudent for this group to issue any mandates. Individual units will conduct their own risk assessments and determine mitigations that are commensurate with the assessed risks.

Audit Retention (§164.312 (b))

The rule requires that records be maintained of "activity in information systems that contain or use ePHI". This functionality is included in most modern software programs, in particular the complex databases used in hospitals. Not every UC work environment uses such databases and in those instances maintaining an audit log may not be possible. In cases in which ePHI is contained in systems which lack audit controls other measures such as access controls and confidentiality agreements will be necessary.

In systems that do maintain this information the question is the appropriate period of retention. In the administrative simplification section (§164.316(b)(2)(i) Policies, Procedures and Documentation Requirements - Time Limit ) the requirement for retention for six years is set forth. It would be prohibitively expensive and probably inefficient to store massive amounts of data for years.

For this reason only logs relevant to security incidents should be retained for six years and the remainder of the data should only be retained for up to 90 days in accordance with usual and customary practice. Periodic audits, whether for cause or not, should be conducted of the information systems so that relevant audit logs can be identified for future review even if no incident has come to light.

Email Encryption: (§164.312(e)(1))

Electronic mail is fundamentally insecure. Email in transit may potentially be viewed by many individuals since it may pass through several switches enroute to its final destination. It may not reach the intended recipient at all. In practice the risks for a single piece of email are extremely small given the volume of email traffic. Nevertheless, emails containing ePHI need to be considered worthy of a higher level of security. The following recommendations are offered to address these concerns:

1. Educate staff and patients about the limitations of email. Any solution will depend on changing staff behavior and attitudes to the use of email.
2. Obtain consent from patients for use of email which outlines the risks of the medium.
3. Employ an integrated messaging solution such as that marketed by RelayHealth. This system is in use at UCDMC and UCIMC for secure doctor-patient communication
4. Implement an email encryption program such as Tumbleweed, Zixmail and others and train staff how to use appropriately.

Patch Management (§164.308(a)(5))

Protection from security breaches in large part depends on computing system maintenance. Software vendors regularly provide updates or patches so that their products continue to be valuable to their customers. Ensuring that all available and relevant patches are installed is an ongoing and complicated activity. In addition maintaining anti-virus and anti-spyware programs is a continuous challenge. In most network environments the managers can ensure that computers on the network are running the correct versions and have installed patches. Computers that may not be on the network such as laptops and PDAs will require more active surveillance and maintenance by the individual users. For example see UCOP, Managed Desktop Initiative.

Physical Security (§164.310(a)(1))

Data must be available when needed but its integrity must be maintained. Access to systems containing ePHI must be controlled as carefully as possible. In addition to malicious software there are significant physical risks to these assets. In particular computers which are housed in leased property or which are accessed by contract cleaning and maintenance services need to be carefully secured. Record any maintenance repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, drop ceilings and locks. Limit access to secure locations to authorized users only, and maintain logs to track ingress and egress from location.

Servers containing ePHI should be housed in professionally-managed secure locations that have provisions for prevention, detection, early warning of, and recovery from emergency conditions created by earthquake, fire, water leakage or flooding, power disruption, air conditioning failures, or other hazards. Secure locations must have physical access controls, such as locks, electronic key readers, or other access control mechanisms Physical security is very often difficult to maintain in unsupervised open areas. Desktops and laptops are by definition not housed in secure areas so ePHI should not be stored on desktops or laptops if a network server is available. Wireless networks pose an additional physical risk insofar as the access points can be compromised and by definition microwave signals are not confined by walls. Wireless signals should be encrypted and access points hidden.

Backing Up/Contingency Plans (§164.308(a)(7))

Any equipment containing ePHI should be regularly backed up to preserve the availability and integrity of the data. Contingency plans for a disaster should take into account the need to restore data in a rational manner. Adequate contingency planning would be based on the criticality of the data, how frequently it is accessed and how quickly it is needed. Paper backup methods should be devised if appropriate. The availability of equipment to which to restore lost data must also be assessed. Back up strategies should take into account not only disaster recovery needs, but also routine departmental workstation or system back up needs. Damage to systems can be widespread and therefore machines and data for recovery purposes must be in physically separate locations. If this is not possible then use of equipment such as fireproof safes are recommended. Replacement equipment can be drop shipped on a pre-arranged basis. Data stored on mobile devices should be considered so vulnerable that the essential contingency plan for such data should be the presumption that it will be lost at some point.

Remote Access

Use of portable devices and home computers to access ePHI remotely is inherently problematic and requires creative solutions within a framework of strict access controls. Storage of ePHI on any home computer is strongly discouraged. Since laptops can never be adequately secured physically the best protection is data encryption which would render the laptop contents undecipherable to unauthorized users. PDAs should be set up to require login that cannot be disabled by the user (set at the server level). All data on PDAs should be regularly synchronized with servers so that if a PDA equipped with login is lost or the password is lost then no data will be recoverable. Some devices such as the BlackberryT can be set to permit only 10 login attempts before erasing all data. Publicly accessible computers, open wireless networks and third party proxy services (Yahoo!, Hotmail, etc.) are all very vulnerable to penetration by malicious software and hackers and access to ePHI via such systems should be discouraged strongly. Virtual Private Networks (VPN) should be required. Along with this requirement comes the obligation to maintain security patches at remote locations.

Password Management

Passwords are one of the most universal and widely distributed forms of computer security, without individual and sufficiently complex passwords systems containing ePHI cannot be secured. While some legacy systems may not support strong passwords most modern systems can do so. Strong passwords include numbers, symbols and letters of different cases. Since these type of passwords can be difficult to recall the use of a passphrase acronym is advisable. Biometric identification devices and token based systems should be seriously considered as they become available, viable and cost effective.

Access Control

Access to ePHI is considered from many perspectives in the Security Rule. From the technical perspective one prominent issue is emergency access to systems during disasters or other problems requiring temporary access by managers who need to override privileges. This is referred to as a "fire ID". Systems should be designed to provide single us passwords which are replaced daily and their use tracked closely. Certainly there will need to be exceptions made for access to ePHI to provide patient care in disasters that may outstrip the ability to provide temporary passwords and measures should be in place to ensure that once the need has passed the expanded access granted is rescinded.

Automatic Logoff

Many pieces of equipment and some software programs are designed to log users off after a pre-determined period of inactivity. Either hardware or software logoff systems are adequate. Proximity based logoff systems may become available and cost effective in the future. Such systems would use a proximity card reader to determine whether the user is physically adjacent and thereby active.

Termination Procedures

Employee termination often leaves ePHI access unencumbered. This is no longer acceptable for even a brief period under the HIPAA Security Rule. Payroll systems which can automatically prompt IT services to terminate access are ideal.