OCR Issues Summer 2021 Cybersecurity Newsletter, Addressing the HIPAA Requirement to Control Access to PHI
This month, the Department of Health and Human Services, Office for Civil Rights (“OCR”), the agency tasked with enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), issued its Summer 2021 Cybersecurity Newsletter. The newsletter, titled Controlling Access to ePHI: For Whose Eyes Only?, primarily addresses two HIPAA Security Rule standards, “Information Access Management” and “Access Control,” which serve to govern access to electronic protected health information (“PHI”).
The standards of the HIPAA Security Rule are segmented into two categories: the implementation specifications that are “required,” and those that are “addressable.” If an implementation specification is described as “required,” the specification must be implemented. However, in the interest of providing additional flexibility with respect to compliance, the HIPAA Security Rule deems certain implementation specifications to be “addressable.” An “addressable” specification must be implemented if it is reasonable and appropriate to do so. However, if a covered entity deems it unreasonable or inappropriate to implement the addressable specification, then the entity may implement alternative security measures that accomplish the same purpose or choose not to act on the addressable specification at all. Any choice made not to implement an addressable specification must be documented, and the rationale for the entity’s decision must be set forth in that document.
The OCR newsletter discusses Information Access Management, a required standard, that mandates covered entities and business associates to adopt policies and procedures for authorizing access to PHI. The standard has two implementation specifications: Access Authorization and Access Establishment and Modification. These implementation specifications address who is granted access to PHI in various information systems, and how such access is established, expanded, restricted or removed. For example, policies that may fall under the Information Access Management standard include: (i) procedures governing how new employees are granted access to workstations and information systems containing PHI; and, (ii) how such access is terminated upon the end of the employment relationship.
The newsletter also addresses the Access Control standard, which requires covered entities and business associates to implement or consider certain technical safeguards that limit access to PHI. For example, implementation specifications require the use of Unique User Identification for systems containing PHI. The Access Control standard also requires covered entities and business associates to adopt Emergency Access Procedures, which must address how PHI will be accessed in the event of an emergency, such as a power failure or natural disaster.
Additionally, the Access Control standard incudes addressable specifications for encryption. Although encryption is not required, the OCR newsletter indicates that encryption “can reduce the risks and costs of unauthorized access to ePHI” and may “not only fulfill an organization’s encryption obligation under the Access Control standard, but also provides a means to leverage the Breach Notification Rule’s safe-harbor provision” in the event of a data breach or loss of a device containing PHI. Covered entities and their business associates should take note of OCR position encouraging encryption, as it is possible that the agency will take a similar approach when auditing entities for compliance with this specification.
According to OCR, the purpose of its cybersecurity newsletter series is “to help HIPAA covered entities and business associates remain in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues, and highlighting best practices to safeguard PHI.” As such, the subject matter of the newsletter – controlling access to PHI – should be understood to reflect an area of interest and enforcement priority for OCR.
According to a study cited to by OCR in the newsletter, 39% of data breaches in the healthcare sector occur as a result of insiders, whereas 61% were perpetrated by external threat actors. As such, covered entities and their business associates must take steps to secure their systems, adopt policies and procedures limiting access to PHI, and plan for data breach — whether that be through the loss of a device by an employee, or a loss of data due to a cyberattack executed by an external actor.
How Frier Levitt Can Help
Frier Levitt has extensive experience advising healthcare clients in developing compliant HIPAA policies and procedures. In addition to the development of compliant HIPAA manuals, Frier Levitt assists clients in a variety of privacy and security matters, including conducting risk assessments, assisting with breach reporting obligations, and advising on the compliance of various technology systems and data collection programs. Contact us today to evaluate your company’s HIPAA compliance and discuss your data privacy concerns.