OCR Cybersecurity Newsletter Focuses on Controlling Access to ePHI

The Office of Civil Rights (OCR) of the U.S. Department of Health & Human Services recently issued its Summer 2021 Cybersecurity Newsletter, which focuses on controlling access to electronic personal health information (ePHI) and the HIPAA Security Rule standards. Citing to a recent report of security incidents and data breaches in the health care sector, OCR noted that 61 percent of analyzed data breaches were perpetrated by external threat actors and 39 percent by insiders. Incidents include hackers infiltrating information systems, workforce members impermissibly accessing patient health information, and ePHI being left on unsecured servers.

The newsletter discusses two HIPAA Security Rule standards that govern access to ePHI: Information Access Management (administrative safeguards) and Access Control (technical safeguards). Each standard includes several implementation specifications for HIPAA-regulated entities that are either required (must be implemented) or addressable (must be assessed and implemented if it is a reasonable and appropriate safeguard in the entity’s environment). If a particular addressable specification is not reasonable and appropriate, entities must document why and implement equivalent alternative measures if feasible.

The Information Access Management standard has three implementation specifications, two with general applicability to covered entities and business associates (the other is specific to health care clearinghouses). The first, Access Authorization, concerns the implementation of policies and procedures governing how covered entities and business associates authorize or grant access to ePHI within their organization. These policies typically govern the parameters for which individuals in specific workforce roles may be granted access to particular systems, applications, and data. Those parameters should reflect what information access is necessary for a workforce member to do their job. The second, Access Establishment and Modification, describes how to establish, document, review, and modify a user’s access to workstations, transactions, programs, or processes. Among other things, such policies and procedures should ensure that each employee’s access to ePHI continues to be appropriate for their job.

Access Control is a technical safeguard requiring covered entities and associates to implement controls for electronic information systems so that only those approved through the organization’s Information Access Management process have access to ePHI. The Access Control standard includes four implementation specifications for limiting access to only authorized users and software programs. The first, Unique User Identification, is a required implementation specification and is a key security requirement for any system, but particularly those containing ePHI. The second, Emergency Access Procedure, is also required and applies where normal procedures for obtaining ePHI may not be available or may be severely limited, such as during power failures or the loss of Internet connectivity. The third, Automatic Logoff, an addressable implementation specification, concerns mechanisms to automatically terminate an electronic session after a period of inactivity and thereby reducing the risk of unauthorized access. The last, Encryption and Decryption, also an addressable specification, concerns technical safeguards to reduce the risks and costs of unauthorized access to ePHI through secure encryption procedures.

Given that the health care industry continues to be an attractive target for hackers and has a large number of reportable data breach events, the OCR publication serves as a good reminder of the various cybersecurity procedures that health care entities must consider and implement.