HIPAA

The U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996, provides a set of instructions and guidelines for the encoding, privacy, security, integrity and availability of patient health data. The 2009 American Recovery and Reinvestment Act (ARRA), includes a section called the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act adopts "electronic health records" (EHRs) to improve efficiency and lower healthcare costs. Due to the increase in privacy and security risks, the HITECH Act introduced new security and privacy related requirements for business associates under HIPAA.

Fine on non-compliance with HIPAA

The fines for non-compliance with the HIPAA privacy rule have increased significantly with the introduction of the HITECH Act. An organization can now be fined up to $1,500,000 per calendar year for each violation.

HIPAA Active Directory auditing with our solutions

Following are some of our solutions for the HIPAA Active Directory auditing. For detailed information, check the below table.

Solution	Product
Audit (WHO/WHAT/WHEN/WHERE) for the changes done by workforce on the systems such as Active Directory, Group Policy Object, Exchange Server and File Server. Audit the security permission changes in Active Directory, Group Policy Object, Exchange Server and File Server. Track the logon failures in the workstations and servers. Track the access failures in the file servers. Track the user access all over the file servers. Archive the audit reports and restore the audit data whenever needed in the future.	JiJi AuditReporter
Analyze the reason for Account Lockout	JiJi Account Lockout Tool
Automate the user termination process. Clean-up the inactive users and computers.	JiJi Active Directory Cleaner
Track and send the password and account expiration remainder email.	JiJi Password Expiration Notification

Below table explains the HIPAA requirements said in part 164 of CFR 45 and explains how our solution can address each of the requirement.

Rule	Purpose	Solution
INFORMATION SYSTEM ACTIVITY REVIEW (R) - 164.308(a)(1)(ii)(D): "Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."	Determine if any EPHI is used or disclosed in an inappropriate manner	Using the audit log generated, we can track the information such as WHO/WHAT/WHEN/WHERE changes happened for the following systems: Active Directory Group Policy Object Exchange Server File Server Reports to track The login and login failed activity on the workstations and servers. Access and access failure on File Servers.
WORKFORCE CLEARANCE PROCEDURE (A) - 164.308(a)(3)(ii)(B): "Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate."	Create process to verify that the member has appropriate for his/her job role	Schedule and generate reports on Security report on access permissions for users over the Active Directory objects. File permission report for users on the files/folders.
TERMINATION PROCEDURES (A) - 164.308(a)(3)(ii)(C): "Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section."	Implement termination procedure to remove the previously granted access privileges on various information systems.	Schedule to generate audit reports on disabled user accounts and inactive user accounts. Automated workflow process to disable the user account in Active Directory and archive the disabled user account for specific number of days and remove the disabled user account after retention period.
ISOLATING HEALTH CARE CLEARINGHOUSE FUNCTIONS (R) - 164.308(a)(4)(ii)(A): "If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization."	If health care clearing house is part of a large organization, protect the EPHI information that it is processing.	Audit security settings to verify that no member of large organization other than the clearing house members has permissions on Active Directory, File Server.
ACCESS ESTABLISHMENT AND MODIFICATION (A) - 164.308(a)(4)(ii)(C) "Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process."	Implement and manage the creation/modification of access privileges to workstations, transactions, programs or processes. And management should make sure the access to EPHI are valid.	Schedule automated audit report on all the access privileges changes for workstations, programs or processes. Schedule automated security access report on all the critical Active Directory and File server objects which holds the critical EPHI data.
LOG-IN MONITORING (A) - 164.308(a)(5)(ii)(C): "Procedures for monitoring log-in attempts and reporting discrepancies."	To make IT Administrative team aware of inappropriate login attempts.	Schedule automated report on failed login attempts on workstations and servers.
PASSWORD MANAGEMENT - 164.308(a)(5)(ii)(D): "Procedures for creating, changing, and safeguarding passwords."	Train members to safeguard password and change them periodically.	Send remainder emails to change password periodically. Self service portal to change the forgotten password without involvement of Helpdesk using multi-factor authentication.
RESPONSE AND REPORTING (R) - 164.308(a)(6)(ii): "Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes."	Define process for a security incident, such as documenting the incident and its effects, preserving the evidence.	Generate audit reports to document all the administrative and user activity.
DISASTER RECOVERY PLAN (R) - 164.308(a)(7)(ii)(B): "Establish (and implement as needed) procedures to restore any loss of data."	Implement disaster recovery plan.	Restore deleted Active Directory objects. Restore the Active Directory objects to its original form to tackle the unauthorized and accidental changes.
Audit Controls - 164.312(b) "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."	Implement proper auditing on EPHI and workforce security setting.	Generate audit reports to document all the administrative and user activity.
Person or Entity Authentication - 164.312(d) "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."	Implement the authentication method so that the users can claim who they are.	Apart from the Active Directory authentication, users can be authenticated using multi-factor authentication such as Security Question/Answer, Email Verification, Mobile Verification when they forget password, unlock their account.
Accounting of disclosures of protected health information - 164.528 An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested.	Past audit data should be available for any later verification.	All the audit information can be archived and can be restored to generate any required reports.