HIPAA and Identity Management

Written by Zach DeMeyer on October 5, 2018

Share This Article

The Health Insurance Portability and Accountability Act (HIPAA) is government legislation that regulates how sensitive information within the healthcare industry is handled. Further, the HIPAA Security Rule dictates how electronic protected health information (ePHI) should be safeguarded. There are multiple approaches to achieving compliance, but in this post we will talk about HIPAA and identity management.

The HIPAA Security Rule

HIPAA security rule

At its core, the HIPAA Security Rule states that any company that handles ePHI must have a system in place that will protect the ePHI from being compromised in the event of an attack. This system must be capable of distinguishing which individuals may access the information, as well as what they can do with the access they are granted. In addition, the system must have procedures in place to review access reports and events of security threats (successful attacks or otherwise). Besides safeguarding ePHI, this security system needs to have safeguards for itself, a sort of contingency plan in case of an emergency that ensures ePHI is secure and backed up.

Identity Management and HIPAA Compliance

Traditionally, HIPAA Security Rule compliance relied on identity management through the directory service a company implemented, most often Microsoft® Active Directory® (MAD or AD). Through a directory service, IT admins are able to federate access to ensure that only authorized employees can access ePHI, as well as control what they can do with it. MAD, however, is limited due to the fact that it is on-prem and designed for Windows®-centric environments. In the modern era, most workplaces are now platform-heterogenous, with Mac® and Linux® machines as well as Windows, and with a workforce that is on-prem to remote and everything in between, MAD struggles to keep up. Because of this, IT admins are starting to explore new options for HIPAA and identity management.

One such option takes all the benefits of a traditional directory service and offloads it to the cloud: the cloud directory service. The cloud directory service is designed for heterogeneous environments, and acts as a bridge between on-prem organizations and all of the possibilities of the cloud. These include web-app single sign-on (SSO) with SAML, RADIUS for WiFi authentication, OS-agnostic user and system management, and more.

HIPAA Compliance with JumpCloud®

JumpCloud® Directory-as-a-Service® is one such cloud directory service. In their whitepaper, Coalfire, an independent compliance auditor, explores JumpCloud with regards to HIPAA Security Rule compliance. After rigorous compliance testing, Coalfire found that, when properly implemented, JumpCloud meets the identity management requirements of the HIPAA Security Rule. You can learn more about Coalfire’s findings in the whitepaper.

You can also learn more about JumpCloud Directory-as-a-Service, HIPAA, and identity management by contacting us or checking out our YouTube channel. To achieve HIPAA compliance for your organization through Directory-as-a-Service, consider signing up for JumpCloud. Signing up is free, requires no credit card, and includes 10 users on us to get you started.

Continue Learning with our Newsletter