The HIPAA Security Rule, as many know, is not a prescriptive statute like the Payment Card Industry’s Data Security Standard (PCI DSS). Generally, the HIPAA Security Rule is looking for a few things from the area of identity management or authentication / access control. HIPAA compliance centers on ensuring unique user access, authentication controls, and audit logging. It is also focused on ensuring that administrators are following proper procedures and controlling access. JumpCloud’s® cloud directory supports a number of the areas of the HIPAA Security Rule.
Complying with HIPAA Security Rules
Like any other technical solution, the use of JumpCloud’s Directory-as-a-Service® platform does not solely make you compliant with the HIPAA Security Rule and, specifically, areas such as Administrative and Technical Safeguards. It is how JumpCloud is used and the processes that IT organizations follow that ultimately allow compliance to be achieved.
For example, JumpCloud cannot guarantee that an organizations will not create user accounts that are then shared. Or that end users would not share their login credentials. However, a cloud directory can be a core part of the solution to achieving compliance along with excellent documentation and processes.
JumpCloud’s cloud directory service makes it quite easy to create, manage, and terminate unique accounts. Logging of access to various IT systems can be monitored by JumpCloud. Administrative controls for password management are also a core part of the IDaaS platform.
Major HIPAA Security Rules
There are a number of major areas in the HIPAA Security Rules, and those areas then cascade into a number of specific actions that IT organizations need to take. The major areas of the HIPAA Security Rule include:
- Administrative Safeguards – this part of the Security Rule is to assign ownership and to create the infrastructure of solid security practices that will help to support HIPAA compliance.
- Physical Safeguards – access to the IT systems and the data needs to be closely guarded for the cases of malicious intrusion, but also for disaster.
- Technical Safeguards – this area of the statute is focused on the implementation of controls for access to systems, applications, and data as well as the security of those IT resources and e-PHI.
How JumpCloud Helps
JumpCloud’s cloud IAM platform will support your efforts primarily in the Administrative and Technical Safeguards. In both of those areas, controlling and monitoring access to IT resources is central to compliance. Practices such as ensuring unique access per person, strong passwords and authentication mechanisms, multi-factor authentication, and audit logging will generally cover most of the requirements of the statute.
Each auditor’s confirmation of those controls may be different, but the thrust of their focus will be on ensuring that accounts are for unique people, that have access to only what they need to know, and that those people are using their access properly. Additionally, if the access is not being used properly, the system must support detecting that, and ultimately ensure that those that don’t have a need to know cannot access the systems. JumpCloud’s IDaaS platform can support IT organizations in each of these areas and more.
JumpCloud currently supports a number of health care customers subject to HIPAA. If you are interested in leveraging JumpCloud’s cloud directory to support your HIPAA compliance efforts, we are more than happy to work with you on understanding how we relate to your Business Associate Agreements. Directory-as-a-Service does not process or store any ePHI, which is critical when thinking about whether your provider needs to sign a BAA with you. As a result, it is not necessary to have JumpCloud sign a BAA with you. Our team is happy to walk you through how we work with our healthcare customers.
Learn More On JumpCloud & HIPAA Security Rule Compliance
If you would like to learn more about how JumpCloud can support HIPAA Security Rule compliance, drop us a note. Alternatively, feel free to give our cloud directory a try. Your first 10 users are free forever.