HIPAA Compliance: Access Management and Identity Assurance
The Health Insurance Portability and Accountability Act (HIPAA) was created to protect individuals’ sensitive medical information (in HIPAA terms, electronic protected health information, or ePHI) and streamline the healthcare administrative process. So restricting access to some users while providing access to others (password role-based access control) is a key aspect of HIPAA compliance (check out our HIPAA compliance checklist).
In healthcare organizations—and every other workplace, for that matter—different employees have different roles. Some users will need to access ePHI; others will not. Some may need to access only billing information; other will need to access full medical histories—forms, records, etc.
As an IT service provider, you may be unsure of how to assign users the right permissions and how to control user access without requiring users to add time-consuming security procedures and logins to their day.
What Does the Government Say?
The U.S. government defines four levels of identity assurance for electronic transactions requiring authentication:
- Level 1: “Little or no confidence in the asserted identity”
- Level 2: “Some confidence in the asserted identity”
- Level 3: “High confidence in the asserted identity”
- Level 4: “Very high confidence in the asserted identity”
The lowest levels of identity assurance come from systems that use no form of ID proofing, or ones that use single-factor authentication (SFA)—systems that only require a user to enter a password or PIN. Higher levels use authentication techniques like multi factor authentication (MFA), which require users to enter two of the three security “factors”:
- “Knowledge” factor: Password or PIN
- “Possession” factor: Something you have, like a one-time access code from a hardware token or generated by a secure mobile app
- “Inherence” factor: Something you are; authentication is provided through a biometric scan
- “Location” factor: Somewhere you are; being in a specified location (such as a police station) can go towards verifying your identity
It’s important to remember that HIPAA not only focuses on restricting sensitive data from unauthorized users, it also demands that information be easily accessed by authorized users who need it.
IT service providers dealing with HIPAA-regulated organizations, then, must strike a delicate balance between security (user access controls, authentication techniques) and patient care (healthcare providers must be able to quickly access their patient’s information while on the job, without needing to login repeatedly).
Advanced password and authentication systems like single sign-on (SSO) are perhaps the most effective identity assurance solutions for healthcare providers and organizations. With SSO, users authenticate using MFA and can then access all needed applications from their centralized secure SSO portal page. No additional logins are necessary.
And for applications that don’t support SSO, simulated sign-on can be automated to allow for a seamless, SSO-like experience—all while maintaining the enhanced security level provided by MFA and the auditing and password task automation of password management software.
By using these advanced security options, organizations and service providers can prove that they’ve made reasonable efforts to improve patient care, secure user access controls, and protect patients’ privacy.
The best thing about software that follows these password management best practices? It strikes that balance I was referring to; it keeps systems secure, while simplifying HIPAA compliance for end users.
Hopefully this post helped you to understand the aspects of HIPAA compliance related to access management and identity assurance.