Those familiar with data security best practices will have heard of the “principle of least privilege”, which is where employees and relevant stakeholders are granted the least access privileges they need to carry out their role. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has adopted a similar principle known as “The HIPAA Minimum Necessary Standard”, which is an integral part of The HIPAA Security Rule.
The HIPAA Minimum Necessary Standard stipulates that all HIPAA-covered entities and business associates must restrict access to, and disclosure of, all protected health information (PHI) to the minimum amount necessary. There are many occasions where a covered entity will disclose PHI to a business associate who is providing a service on their behalf. In this scenario, the covered entity is required to make “reasonable efforts” to ensure that the business associate only has access to the information they need to provide the service. For example, an assistant practitioner may not need access to their patient’s entire medical history, while a physician may not need access to their patient’s Social Security numbers. In either case, access to that information should be restricted. The term “reasonable efforts” is somewhat vague, but all this means is that the covered entity must provide a reasonable justification for sharing PHI.
When does the HIPAA Minimum Necessary Standard apply?
The HIPAA Minimum Necessary Standard applies to uses and disclosures of PHI permitted by The HIPAA Privacy Rule. However, there are certain circumstances where it does not apply, such as when a healthcare provider requests PHI for the purpose of providing treatment to a patient, or when a patient requests access to their own medical records. In some cases, access to PHI is requested by Government agencies. In this scenario, The HIPAA Minimum Necessary Standard is not relevant as the covered entity will have a legal obligation to grant access to the PHI.
How to comply with the HIPAA Minimum Necessary Standard
The methods used to comply with The HIPAA Minimum Necessary Standard, are much the same as with any other data security strategy. You would typically start off by establishing a set of policies and procedures that determine how sensitive data should be used and disclosed. You would then carry out some basic housekeeping, which involves classifying data and removing any data that is no longer relevant. The next step would be to assign the appropriate access controls in accordance with the “least privilege” methodology. Both the access controls and the protected information need to be regularly monitored to ensure that you know exactly who has access to what data, and when. Below is a more detailed explanation of these steps.
Policies and Procedures
You must establish policies that document how access to PHI is granted and the schema used to classify the data. All relevant employees must be trained to ensure that they understand the policies and procedures, and have the relevant technical knowledge to abide by them. The covered entity must ensure that the policies are enforced and that all employees are aware of the consequences of failing to adhere to them.
PHI Discovery & Classification
It would practically impossible to enforce the HIPAA Minimum Necessary Standard if you don’t know exactly what PHI you have, and where it is located. There are data classification tools that will automatically scan your repositories for ePHI – based on predefined rules and templates.
A data classification tool will help you identify patient names, Social Security numbers, biometric information, medical record numbers, and so on. Most data discovery solutions support popular file types, such as doc, .xls, .ppt, .csv, .zip, and many more. Some of the more sophisticated solutions can also find PHI embedded in images. Once ePHI has been identified, the solution will classify the data according to your chosen schema.
A data classification solution can either be run periodically across your full dataset or at the point of creation/modification. Of course, not all medical information is stored electronically. You must also locate all physical documents containing PHI, and classify them manually. Following the process of data classification, It’s always a good idea to remove any data that is ROT (Redundant, Obsolete or Trivial), although be sure to keep a backup of this data in case you accidentally remove something you later need.
The Principle of Least Privilege (PoLP)
As mentioned at the beginning of this article, PoLP is where users are granted the least privileges they need to adequately perform their duties. The main purpose of PoLP is to minimize the damage that could be caused if a privileged account was compromised by a malicious actor.
Discovering and classifying your PHI will put you in a much better position to assign the appropriate access controls to your data.
While it is possible to assign access rights to each individual user, a better approach is to set up roles and assign access rights and users to these roles – a technique referred to as Role-Base Access Control (RBAC). For example, a Medical Records Administrator who is responsible for maintaining patient records, responding to queries, billing, and data entry, will likely need full access to a patient’s PHI, whereas a Medical Research Scientist may only require access to data relating to clinical outcomes. While there are potentially hundreds of roles that would need to be set up, RBAC is still typically easier to manage than other methods of access control.
Just-in-time (JIT) access
Of course, given the inflexible nature of PoLP, you will need to have protocols in place that determine how employees can request access to a given resource. The just-in-time (JIT) access methodology is where access is granted for a specific purpose, and for a specific length of time.
There isn’t a standard approach to implementing JIT access, so you will need to decide whether you want to do this manually – perhaps by creating a spreadsheet that keeps track of temporary access, or using an automated solution that will revoke access to a resource after a given time-frame.
A common approach is where a dedicated user account is created on the fly which only has access to the requested resource, and then simply removed/disabled when it is no longer required. Most real-time auditing solutions can automatically detect and manage inactive user accounts, which will provide a safety net, where you forget to remove the account when it is no longer relevant.
Monitoring Access to PHI
While setting up access controls to protect PHI from unauthorized use and disclosure is a great place to start, these controls (and the PHI itself) must be periodically reviewed and constantly monitored for suspicious activity.
You should adopt a security solution that will display a summary of all changes made to your ePHI via a centralized console. Some security solutions will use machine learning techniques to learn typical patterns of behavior which can be tested against in order to detect potentially anomalous activity. The administrator will be alerted when events are detected which deviate from these patterns, thus enabling them to launch a prompt investigation into the incident.
Naturally, it can be difficult to determine who should have access to what data, and when. However, by monitoring the trends associated with certain roles, you can easily determine who typically has access to what data, and thus refine your access controls accordingly. If, for example, a certain group has access to billing information, but never actually accesses that information, this would be a clear sign that you should revoke that group’s access to billing information, and instead grant access when a request is made.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your PHI and help meet HIPAA compliance, schedule a demo with one of our engineers or start your free trial today.