HIPAA and HITECH Detailed Analysis

HIPAA is the Health Insurance Portability and Accountability Act. HITECH is the Health Information Technology for Economic and Clinical Health Act. These are Federal Laws in the United States that requires, among other things, to protect individual’s health care information. Below is a detailed analysis of the laws and the regulation with relation to Oracle database auditing, and how this translates to practical requirements.
Go to page123All

The Workforce

§ 164.308 (a)(3)(i) Standard: Workforce security.
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
(ii) Implementation specifications:
(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section
An “Addressable” requirement can have different implementations depending on the environment, and alternate implementations could be acceptable given documentation of the justification.
Section (A) discusses the authorization or supervision of the workforce. A likely implementation in the Oracle database would be:
  • Authorization – only employees that should have access to PHI should be granted such access. In most cases, only the application should access PHI.
  • Supervision – employees whose access cannot be restricted (i.e. DBAs), should have their activities supervised. That means that all the activity of DBAs and privileged users should be recorded and reviewed by appropriate personnel

Access Management

§ 164.308 (a)(4)(i) Standard: Information access management.
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
(ii) Implementation specifications:
(A) Isolating health care clearinghouse functions (Required).
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
(B) Access authorization (Addressable).
Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
(C) Access establishment and modification (Addressable).
Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Paragraphs (C) discusses the way in which access is granted. The mechanism involves:
  • Establishment – the process for determining whether access should be granted, and the type of access needed.
  • Modification – the process that eventually grants the access
  • Documentation – the method used to record the establishment and modification (e.g. a change control system)
  • Review – the method used to audit all the steps.
The last step requires a little more clarification. A possible implementation of the review process could be:
  • Audit – report on all Oracle database changes to users and privileges (Authorization DDLs)
  • Reconcile – compare the audit reports to the change control system to ensure no other permissions were granted
  • Approve – occasionally re-approve all the granted permissions to ensure current job duties require the permissions granted