By Rajat Bhargava Posted July 5, 2017
There are a number of areas that a healthcare IT organization needs to cover for the HIPAA Security Rule. Those areas include Administrative Safeguards, Physical Safeguards, and Technical Safeguards. There are also other ancillary, yet critical, requirements including documentation of procedures and the validation or verification of those. In this blog post, we cover how a cloud directory supports the HIPAA Security Rule’s Administrative Safeguards.
HIPAA Security Rule for Administrative Safeguards
The HIPAA Security Rule for Administrative Safeguards describes them as:
“administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
Areas of Focus
Another way to think about the Administrative Safeguards is as infrastructure that helps execute on the other requirements within the Security Rule. The first area of focus with Administrative Safeguards is a Security Management Process which focuses on:
- Risk analysis
- Risk management
- Sanctioning policies
- Information systems activity review
While many of these requirements are outside of the scope of a product or tool, a cloud directory service can help with the implementation of the risk management section and information systems activity review. In the case of risk management, a cloud directory is the core system controlling user access to critical IT systems and potentially even e-PHI (electronic personal health information). An IDaaS solution logging and auditing user access to various IT resources supports the IT systems activity review.
The next major area of the HIPAA Security Rule for Administrative Safeguarding is assigning a single official that is in charge and responsible for the compliance with the statute.
Following this is Workforce Security, which is an important area where a cloud identity management platform can support a health care organization. Implementing tight controls over access and being able to provision, deprovision, and modify user access centrally is critical. Additionally, a cloud directory can support the ability for the health care organization to authenticate and authorize the proper access levels and decommission access when the individual has departed the organization.
Information Access Management is the fourth major subsection to the Administrative Safeguards. In this area, IT organizations are tasked with restricting access to IT systems and data to only those that have a clear and direct reason. These procedures and processes need to be documented as well as executed. An identity management system is a core part of this area as well.
Security Awareness and Training is the fifth area with subsections including security reminders, protection from malicious software, log-in monitoring, and password management. A cloud directory supports the ability to monitor logins and also ensure passwords are compliant with the organization’s standards and policies.
The final four areas of the Administrative Safeguards all revolve around the role of being a leader and administrator of the HIPAA Security Rule within a healthcare organization. Admins are required to implement Security Incident Procedures, Contingency Plans, a process for Evaluation of the compliance, and execute Business Associate Agreements and other contracts.
Meeting HIPAA Compliancy Standards
As we have often said, compliance is rarely, if ever, accomplished by purchasing a tool. Compliance is the combination of technical solutions, sound processes, and smart people coming together. This is clearly the case with the HIPAA Security Rule and absolutely true of the Administrative Safeguards. JumpCloud’s Directory-as-a-Service® platform can be a key solution in the quest to become HIPAA compliant.
As a note, if you are interested in leveraging JumpCloud’s cloud directory to support your HIPAA compliance efforts, we are more than happy to work with you on understanding how we relate to you Business Associate Agreements. Directory-as-a-Service does not access, process, or store any ePHI from a covered entity, which is critical when thinking about whether your provider needs to sign a BAA with you Our team is happy to walk you through how we work with our healthcare customers.
How a Cloud Directory Supports HIPAA Compliancy
If you want to learn more about how a cloud directory can support your efforts to become compliant with the HIPAA Security Rule’s Administrative Safeguards, reach out to us directly. Or, sign-up for a free cloud IAM account and check out how you can leverage the SaaS-based directory for your organization. Your first 10 users are free forever.