Technical safeguards for HIPAA at the administrative level.

This is the 3rd post in a 3-part series on HIPAA data security.  Here we discuss ways Veriato can assist organizations reduce the cost associated with HIPAA compliance reporting while increasing data security.

Requirement 164.308

Administrative Safeguards

Veriato acts as a core part of your implementation and maintenance of security measures and administrative safeguards to protect patient data, specifically around monitoring and reviewing the conduct of you workforce in relation to the protection of patient data.

Below are some examples of how Veriato can assist in addressing some of HIPAA’s Administrative

• Risk Analysis (Required) § 164.308(a)(1)(ii)(A) – Veriato’s visibility into how users access, interact with, and use patient data can be utilized to assess the confidentiality, integrity, and availability of patient data, regardless of application used.
• Information System Activity Review (Required) § 164.308(a)(1)(ii)(D) – By providing per-user activity detail and reporting, Veriato supplies the most comprehensive and contextual activity review possible, showing when patient data is access, as well as the actions performed before and after the access in question.
• Log-in Monitoring (Addressable) § 164.308(a)(5)(ii)(C) – Veriato facilitates the monitoring of and reporting on log-ins which can be used to identify suspect activity.
• Response and Reporting (Required) § 164.308(a)(6)(ii) – In cases where the suspected or known security incident involves a user’s application-based interaction with patient data, Veriato provides the activity detail necessary to document the security incident and outcome in almost.

Requirement 164.312

Technical Safeguards

Veriato’s advanced user activity monitoring and behavior analysis technology can be leveraged to define advanced policy and procedures designed to establish and ensure patient data remains protected giving you HIPAA technical safeguards at the highest level.

Below are some examples of how Veriato can assist in addressing some of HIPAA’s Technical Safeguards:

• Audit Controls (Required) § 164.312(b) – Veriato not only empowers security teams to record an examine user activity within systems containing protected patient data, but also within any other application, providing unmatched visibility into actions taken around patient data access.
• Mechanism to Authenticate Electronic Protected Health Information (Addressable) § 164.312(c)(2) – Because Veriato records and can playback all user activity involving protected patient data, it provides the ability to demonstrate that patient data has not been altered or destroyed in an unauthorized manner.

Requirement 164.414

Administrative Requirements & Burden of Proof

In an organization’s time of need, when demonstrating either HIPAA compliance – or the lack thereof – is necessary, the determining factor will ultimately be the answer to the question “Was patient data improperly used?”. This will require an ability to review the exact actions taken by one or more users, both within and outside of an EHR application.

Below are some examples of how Veriato can assist in addressing this HIPAA requirement:

• Administrative Requirements § 164.414(a) – Veriato’s ability to record, playback, and report on detailed user activity can help demonstrate compliance with the Safeguards portion of the Administrative Requirements § 164.530(c).
• Burden of Proof § 164.414(b) – In the event of a suspected breach, Veriato uniquely facilitates the playback of specific user activity to either demonstrate the lack of a breach, or to help define the scope of one.

Requirement 160.308

Compliance Reviews

Whether as part of suspected violation or other circumstances, compliance reviews of administrative provisions around appropriate access to, and usage of, patient data can be simplified by demonstrating enforcement of policies and procedures through Veriato’s activity reports and activity playback.