HIPAA & HITECH

Network Protection for HIPAA / HITECH Regulatory Compliance

 
If you create, transmit, receive, or store electronic Protected Health Information (ePHI), then you need to be HIPAA Compliant. New rules mandate audits for organizations that are subject to HIPAA.  The rules enable the Office of Civil Rights within the Department of Health and Human Services on the Federal level to monitor “corrective action plans” in order to enforce HIPAA.

Below are the specific mandates that covered entities and business associates must satisfy relating to network controls:

• 164.308(a)(4)(ii)(B) – Access Authorization
• Verifies policies and procedures are in place to authorize access to PHI

• 164.308(a)(5)(ii)(C) – Log-in Monitoring
• Verifies procedures and monitoring of log-in attempts host IDS

• 164.308(a)(5)(ii)(D) – Password Management
• Verifies there is strong password management

• 164.312(a)(2)(i) – Unique User Identification
• Verifies that a unique ID is assigned to support tracking

• 164.312(a)(2)(iii) – Automatic Logoff
• Verifies session termination mechanisms are in place

• 164.312(a)(2)(iv) – Encryption and Decryption
• Verifies there is a mechanism for encryption of stored PHI

• 164.312(b) – Audit Controls
• Verifies there are procedures and mechanisms for monitoring system activity

• 164.312(d) – Person or Entity Authentication
• Verifies there are procedures to verify identities

• 164.312(e)(1) – Transmission Security
• Verifies there are measures to guard against unauthorized access to transmitted PHI)

• 164.312(e)(2)(i) – Integrity Controls
• Verifies that there are measures to determine that integrity controls are configured for PHI on transmission

• 164.312(e)(2)(ii) – Encryption
• Verifies there are mechanism for encryption of transmitted PHI