HIPAA and HITECH Detailed Analysis

HIPAA is the Health Insurance Portability and Accountability Act. HITECH is the Health Information Technology for Economic and Clinical Health Act. These are Federal Laws in the United States that requires, among other things, to protect individual’s health care information. Below is a detailed analysis of the laws and the regulation with relation to Oracle database auditing, and how this translates to practical requirements.
Go to page123All

The Law

Title 42 of the United States Code is the Public Health and Welfare. Chapter 156 is Health Information Technology. Subchapter III is Privacy. Part A (§17931 – §17940) is Improved Privacy Provisions and Security Provisions.
§17931 (c) Annual guidance
...the Secretary of Health and Human Services shall... annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations...
§17940. Audits
The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subchapter and subparts C and E of part 164 of title 45, Code of Federal Regulations...
In other words, we need to look at the regulation to see how HIPAA and HITECH should be implemented.

The Regulation

Title 45 of the Code of Federal Regulations is the Public Welfare and Human Services. Part 164 deals with Security and Privacy.
The interesting subparts are:
  • Subpart C — Security Standards for the Protection of Electronic Protected Health Information
  • Subpart E — Privacy of Individually Identifiable Health Information
To help you understand how HIPAA relates to Oracle database auditing, we’ve included relevant portions of the regulations, with our interpretation of the requirements in practical technical terms.
A good place to start is by reading the beginning:
§ 164.306 Security standards: General rules
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4)Ensure compliance with this subpart by its workforce.”
The “General Rules” are important as they explain the intention of the regulation. Don’t be dismayed by the generality of these paragraphs as HIPAA provides a lot more detail later on.

The Process

§ 164.308 (a)(1)(i) Standard: Security management process.
Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
This means that HIPAA follows the same basic principals as most compliance regulations:
  • Evaluate Risk
  • Implement Controls to reduce the risk
  • Audit activity on a regular basis
While the risks and controls tend to be similar in many environments, this article focuses on Oracle database auditing and, therefore, on the last point – audit the activity [164.308 (a)(1)(ii)(D)]
Since the regulation was not written specifically for the Oracle database, it does not mention sessions or SQLs. It does however mention access reports which translate into two things in Oracle databases:
  • Sessions – Anyone accessing Oracle databases that contain PHI (Protected Health Information)
  • SQLs – Any SQL that is accessing Oracle tables that contain PHI (Protected Health Information)