Categories
HIPAA

How to Comply with HIPAA Password Requirements

HIPAA stands for Health Insurance Portability and Accountability Act. This was first introduced in 1996 in U.S with the purpose of protecting the PHI data of individuals.

The law states that health care organizations, covered entities and business associates must keep patient’s medical information safe, secure and confidential. In this digital world where every information and data is stored online, HIPAA sets out guidelines for creating, changing, and protecting passwords.

The regulations were set by HIPAA as a part of the administrative safeguards of the HIPAA Security Rule. HIPAA password requirements are an important part of keeping your sensitive health data safe and avoiding HIPAA fines.

HIPAA Password Requirements

The HIPAA Security Rule section says that health care organizations, covered entities and business associates must use administrative, physical and technical measures to make sure they keep confidentiality, integrity and security of patient’s data. HIPAA password requirements fall under the Administrative requirements of the HIPAA Security Rule. This security rule requires covered entities to keep PHI and electronic PHI (ePHI) secure.

How to Make Your Passwords HIPAA Compliant

HIPAA does not lay down any guidelines or specifications that covered entities or business associates must follow to ensure your passwords are safe and secure but there are other federal regulatory entities that do lay down password guidance. NIST (National Institute of Standards and Technology) is one such federal regulatory entity that sets security regulations on an ongoing basis that highlights business best practices for companies of all kind. NIST also regularly issues new regulations on password creation, which serve to keep your information safe.

Below we have listed few of the measures that you can put in place to keep your passwords relevant with NIST and HIPAA requirements.

  • Use a minimum of 8 characters: According to NIST, passwords can be up to 64 characters if organization is protecting sensitive data.
  • Avoid using password hints: NIST suggests you should entirely avoid using password hits because they can seriously compromise the integrity of your passwords.
  • Create memorable passwords: NIST no longer suggests the use of complicated passwords. Though it says that passwords should be unique but keeping a memorable password is more secure way. 
  • Vet passwords against a list of weak options: According to NIST (National Institute of Standards and Technology), the passwords should be vetted against a list of common passwords.

Conclusion

With few easy steps you can start to develop a HIPAA compliance program in your practice, all while addressing your HIPAA password requirements.

Categories
HIPAA

How long should I retain HIPAA audit logs?

HIPAA stands for Health Insurance Portability & Accountability Act. This law was introduced in the 1996 and was signed by President Bill Clinton. The administrative rules of HIPAA require covered entities and other health care organizations to retain required documentations from the date of its creation or the date when it was last in effect.

HIPPA privacy regulations apply to electronically stored and transmitted electronic data. Though HIPAA does not lay down any time period regarding the retention of medical records but each state in U.S has their own requirement regarding the retention of medical records in its laws. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that health care organizations must protect the medical records and PHI of an individual.

There is no time period specified for medical records by HIPAA but there is a retention period requirement for other HIPAA-related data. CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.

Why Is It So Important To Retain HIPAA Audit Logs?

It is important to retain HIPAA audit logs because it helps an organization to monitor activity on their computing network. It helps organization to keep records of events and user activity. Essentially, all system activity creates priceless audit trail for organizations to use as a tool for security. Retaining and appropriately maintaining these logs has become a significant measure in risk management. It helps in protecting all information, particularly ePHI of an individual.

Audit logs also help in identifying theft, fraud, and physical theft.

General HIPAA Audit Log Requirements: What Is Included?

Combination of both electronic and physical information is included in HIPAA log requirement. It is necessary for an organization to keep a record of employees that have access to standard physical PHI and stored paper files.

Audit logs for your ePHI is more involved and should include the following information:

  • User access logins
  • Addition of new users to the system
  • New users’ level and areas of access
  • Files accessed by all users
  • All changes made to databases
  • Firewall logs
  • Operating system logs
  • Anti-malware logs

How Long HIPAA Audit Logs Should Be Kept?

CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.

Categories
HIPAA

HIPAA Email Rules

HIPAA stands for Health Insurance Portability and Accountability Act and it was introduced in 1996 by Congress in U.S. The purpose of this act was to improve the efficiency of the health care organizations and also to protect the data and PHI of individuals.

Soon after the act came into force, privacy rule was also introduced within this act. Privacy rule introduced within the act regulates the use and disclosure of individual’s data that can be verbal, written, or electronic (both via email and file transfer.

All the covered entities and business associates have to follow this rule. The rule that was later introduced within this HIPAA act was security rule.  This security rule defines all the security standards for the management of PHI in electronic form (ePHI) by health care providers, health plans, and health care clearing houses.

Both privacy rule and security rule under HIPAA does not prohibit the use of email for sending ePHI. The only thing that needs to consider while sending the PHI through email is the security, and privacy of the PHI of an individual.

There are several rules set by HIPAA for the email and these rules needs to be followed to protect the ePHI. These rules and regulations are set by HIPAA security rule and were updated by the Omnibus Final Rule. If any organization that fails to comply with HIPAA email regulation while sending ePHI online then they have to pay heavy fines and penalties for it.

HIPAA email rules require health care organizations to safeguard, secure and keep the ePHI data confidential while transferring it online. Covered entities should fulfill the points mentioned below to safeguard the ePHI transferred through email.

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit


Below we have mention two important rules that needs to be followed while sending PHI though Email

  1. Encryption Requirements
  2. Secure Messaging Solutions

Encryption Requirements

If an email that contains PHI is sent beyond the covered entities firewall, it must be protected with encryption.  Only the messages are protected with encryption in transit so covered entities should never put the patient’s name or other PHI in subject lines of emails as the information could easily be viewed by unauthorized individuals.

Secure Messaging Solutions

HIPAAsupport Bring Your Own Device (BYOD) policies. Health care workers can use their own personal devices as part of their daily work, but it is required that they use secure messaging solutions. With secure messaging solution, all activities on platform are recorded and an audit trail is maintained. All the emails that will be sent through secure messaging solutions will be encrypted and also the messages cannot be sent outside the organizations secure network.

Conclusions

HIPAA does not prohibit the use of email for sending ePHI but it require covered entities to protect, secure and keep the ePHI data confidential while transferring it online.