OCR Newsletter Emphasizes Controlling Access to PHI, as Government Launches Website to Defend Against Ransomware

OCR has released its Summer 2021 Cybersecurity Newsletter, emphasizing the importance of regulating access to PHI using the HIPAA security rule’s standards for information access management and access control. OCR observes that these standards are complementary requirements that can help ensure that workforce members are authorized to access only necessary PHI and limit potential unauthorized access of both hackers and malicious insiders. Here are key points from the newsletter for each standard:

• Information access management. This standard is classified as an administrative safeguard under the security rule and has generally applicable implementation specifications for (1) access authorization and (2) access establishment and modification. Access authorization focuses on policies for granting workforce members access to PHI, such as how to request access and the criteria for granting access to particular systems, applications, and data based on workforce roles. In comparison, access establishment and modification addresses the procedural aspects of establishing, documenting, reviewing, and modifying users’ access to workstations, transactions, programs, and processes. This implementation specification focuses on access changes, such as a workforce member being promoted or a covered organization shifting to remote work during a pandemic, to ensure that workforce members’ access continues to be appropriate for their roles.
• Access control. This standard is classified as a technical safeguard, requiring covered entities and business associates to restrict access to PHI in accordance with their access management process. The standard includes four implementation specifications. Unique user identification is required to ensure accountability of individual users and facilitate investigations when intrusions occur. Emergency access procedures are applicable to situations in which the normal procedures for accessing PHI are unavailable. Automatic logoff reduces the risk of unauthorized access when users forget or are unable to terminate their work sessions. Finally, encryption reduces the risks and costs of unauthorized access to PHI—plus encrypted PHI is not considered unsecured and, consequently, is not subject to HIPAA breach notification.

The day after OCR published its cybersecurity newsletter, the federal Cybersecurity & Infrastructure Security Agency (CISA) announced the launch of a new website to help public and private organizations defend against ransomware. According to CISA, the website is an interagency resource giving users one central location for ransomware resources and alerts. CISA plans to expand the resources and information available on the website.

EBIA Comment: The periodic cybersecurity newsletters highlight HIPAA compliance and enforcement issues of interest to OCR. While the ransomware website is not specific to HIPAA, hackers intent on installing ransomware first need access to vulnerable systems. Thus, there is a clear connection between access controls and ransomware defense, making these new resources recommended reading for covered entities and business associates. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXX.B (“Administrative Safeguards”) and XXX.D (“Technical Safeguards”). You may also be interested in our upcoming webinar “Practical Application of HIPAA Use and Disclosure Rules for Group Health Plans” (live on 8/12/2021).

Contributing Editors: EBIA Staff.