Controlling User Access for HIPAA

Written by Zach DeMeyer on September 22, 2018

Share This Article

Meting out access to IT resources is a directory service’s main goal. This is especially prevalent in regards to HIPAA compliance. Under the
HIPAA Security Rule, compliant enterprises are required to have a strong identity and access management (IAM) base. Ensuring that the right employees are accessing the right information/resources promotes overall privacy and security. With health insurance information, nothing is more paramount than controlling user access for HIPAA compliance.

What is HIPAA Compliance?

HIPAA security rule

Per HIPAA Technical Safeguards 164.312, a compliant organization must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” This concept all boils down to IAM. You wouldn’t want Finance to have access to Engineering’s software, nor would you want Marketing to be able to open Finance’s spreadsheets, etc. This is especially poignant with electronic personal health information (ePHI), as it often contains sensitive material, including health history, social security numbers, and other key facets of a person’s identity.

Using IAM increases an organization’s overall information and identity security, a key factor in HIPAA compliance. The root approach to using IAM for HIPAA compliance is controlling user access. By managing the permissions of user identities, IT admins can ensure that only the correct individuals can access the sensitive ePHI data laid out under the HIPAA umbrella.

Directory Services for Security

Because of this, maintaining a strong directory of users is crucial to security and HIPAA compliance. In IT’s early days, Microsoft® Active Directory® (MAD or AD) made HIPAA compliance a fairly simple task. Due to Microsoft’s dominance of the IT resources scene, AD had an easy time creating a unified user identity.

As IT started to shift to the cloud, however, identities in AD began to falter. Employees started to leverage web-based applications and resources, and even using newer systems like Mac® and Linux®. AD couldn’t keep up with IT’s evolution by itself, and required a slew of other SaaS solutions, like SSO tools and identity bridges, to try to tie together their identities.

Cloud Directories: The Future of Controlling User Access for HIPAA Compliance

Clearly, something new is needed, and the cloud directory service is just that: a directory service for the future. With cloud directory services, sysadmins can control their heterogeneous systems with ease, managing endpoints and doling out access permissions regardless of platform. JumpCloud® Directory-as-a-Service® is one such cloud directory.

JumpCloud Directory-as-a-Service is a reimagination of AD for the cloud era. In their whitepaper, the independent auditor, Coalfire Systems, explored JumpCloud regarding its ability to control user access for HIPAA compliance. Coalfire reports that, with proper implementation, JumpCloud is compliant for applicable sections of both HIPAA’s Security Rule and Breach Notification requirements. To see how the Directory-as-a-Service platform was tested and more of Coalfire’s results, you can read the whitepaper here.

JumpCloud® Directory-as-a-Service® and HIPAA

JumpCloud directory-as-a-service

For more on using JumpCloud to control user access for HIPAA compliance, you can contact us, or check out our YouTube channel for video content. To see all that Directory-as-a-Service has to offer, be sure to schedule a demo of the product, or sign up for the platform to see it for yourself. Signing up is completely free, and so are your first ten users.

Continue Learning with our Newsletter