HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that requires hospitals, physicians, and managed care companies to adopt medical information security, privacy, and data standards. HIPAA requires organizations to “audit and monitor system and user activity across the entire network, identify and investigate security breaches and suspicious behavior, and maintain an audit trail of user and network activity.” They also specify that companies should “retain and protect log data as evidence … up to 6 years.” Log-in monitoring and audit controls are mandated in such sections as 164.308(a)(5)(ii)(C) on Audit Controls, 164.312(b) on Log-in monitoring, and 164.312(a)(2)(iii) on Automatic Log-off as well as others.
The Health Information Technology for Economic and Clinical Health (HITECH) Act ramps up HIPAA compliance and introduces the first federally mandated data breach notification requirement. It also expands the reach of HIPAA data privacy and security requirements to include the "business associates" (health care providers, pharmacies, and the like). Under the HITECH Act, those companies are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties.
The benefits of LogLogic’s solutions for HIPAA:
- The LogLogic Open Log Management platform and the LogLogic Compliance Suite: HIPAA Edition add-on provide the foundation for log collection, archival and monitoring as required by HIPAA and HITECH.
- LogLogic Security Event Manager provides advanced monitoring and threat management.
- LogLogic Database Security Manager is tailor-made to protect critical patient and medical information in your databases and even to block security and privacy violations in real-time.
Requirements the HIPAA Edition of the LogLogic Compliance Suite can help you satisfy:
| Standards | Sections | Implementation Specification (R) = Required, (A) = Addressable |
|---|---|---|
| § 164.308 — Administrative Safeguards | ||
| Workforce Security | 164.308(a)(3) | Authorization and/or Supervision (A) Termination Procedures (A) |
| Information Access Management | 164.308(a)(4) | Isolating Health Care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) |
| Security Awareness and Training | 164.308(a)(5) | Security Reminders (A) Log-in Monitoring (A) Password Management (A) |
| Security Incident Procedures | 164.308(a)(6) | Response and Reporting (R) |
| Contingency Plan | 164.308(a)(7) | Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) |
| § 164.312 — Technical Safeguards | ||
| Access Control | 164.312(a)(1) | Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) |
| Audit Controls | 164.312(b) (R) | |
| Integrity | 164.312(c)(1) | Mechanism to Authenticate Electronic Protected Health Information (A) |
| Person or Entity Authentication | 164.312(d) (R) | |
While LogLogic can provide you with the tools to enable you to achieve compliance, LogLogic cannot determine if you have met your compliance objectives. For any such determinations, you are advised to consult with a qualified advisor.
