Guidance for Health Insurance Portability and Accountability Act (HIPPA)
NIST Special Publication 800-66 offers guidance for HIPPA. HIPPA is broken up into (5) different Titles:
Title 1) Healthcare accessibility, portability and renewability
Title 2) Healthcare Fraud and abuse prevention; Healthcare Liability; Administrative Simplicity
Title 3) Tax-related healthcare provisions
Title 4) Group Health plan
Title 5) Revenue Offset
The focus of NIST SP 800-66 is Title 2 Administrative Simplification, HIPPA Security Rule. The HIPPA Security Rule is broken into Electronic Data Interchange (code set, identifiers, transactions), Privacy, Security.
Security includes all efforts to protect the confidentiality, integrity & availability of electronic protected health information (EPHI). HIPPA Security is applicable to covered entities. Covered entities include: Covered Healthcare providers, health plans, Healthcare Clearinghouses, and Medicare prescription drug card sponsors.
This involves physical, administrative, technical safeguards, organizational requirements, policy, procedure and documentation requirements. The controls are used to meet these controls are required or addressable.
Physical security safeguards: all security controls needed to physically protect electronic protection health information (EPHI) and resources. These controls reduce physical access to the EPHI systems and their resources by isolating and limiting and locking areas in which the resources housing EPHI is located.
Administrative safeguards: administrative controls include documentation, procedures that reflect the security of systems containing EPHI.
Technical safeguards: technical security features that protect EPHI. This includes access control lists, least functionality on ports, protocols & services and other logical protection mechanisms over a network.
Organizational requirements: organizational requirements include policies, standards and guidelines that the organization must adhere to. This may include federal, state law and healthcare best practice.
Policy, procedure and documentation requirements: physical, administrative, technical controls are captured in documentation to establish a baseline, have consistency and act as a blueprint for future employees and/or managers.