A large part of my job requires me to dig into security standards to help figure out how to create consulting services to assist customers with achieving compliance. One standard I’ve never looked into before is HIPAA (Health Insurance Portability and Accountability Act of 1996). HIPAA is not a security standard per-se, but rather a set of administrative rules established by the US Department of Health and Human Services to govern how health information is accurately and securely exchanged between medical institutions and other institutions that have a legal need to access patient medical data.
HIPAA is encoded in the US Code of Federal Regulations, Title 45, Parts 160, 162 and 164 (see here for the CFR). Section 164 is the most interesting section for a security professional, as this section describes the security and privacy requirements that must be satisfied by organizations that must comply to HIPAA regulations (these entities are called ‘covered entities’). Unfortunately, Part 164 is further divided into 31 subsections that define the actual security requirements. Rather than digging into each of these sub-sections, I’m going to focus on sub-section 312 which defines the technical safeguards that must be implemented by covered entities. Subsection 312 specifies 5 standard safeguards: access control, audit controls, integrity, person or entity authentication, and transmission security. The code further specifies implementation requirements for each standard. The following mindmap graphically illustrates Subsection 312.
Mindmap of CFR 164, Section 312
As far as legislation goes, the HIPAA Technical Safeguards are fairly well written in terms of striking a good balance between actionable requirements with room for interpretation to make the standard independent of changes in technology (for example, the Encryption safeguards do not name specific encryption algorithms that need to be used). However, the Safeguards are too vague to use alone. Therefore, NIST prepared a Special Publication, SP800-66 Rev1 (found here), that can be used to help interpret the safeguards by mapping them to specific controls described in NIST documentation. In a future post, I’ll further examine NIST SP800-66 and attempt to summarize some of the specific security controls to implement the HIPAA Technical Safeguards.