Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 to regulate electronic billing and data protection of patients in the healthcare sector. Numerous healthcare organizations fail to have proper security measures in place and can become the victim of cyber attacks. This can have adverse consequences for both their business operations, and the safety of their patients.

HIPAA is applicable to:
  • Organizations like hospitals that treat patients,manage healthcare data and billing, and rely on health records for their business operations.
  • Providers of healthcare plans and institutions like insurance companies or schools that maintain health records of employees or students.
  • Organizations such as diagnostic centers involved with storing health care data or transmission of health records.

Understanding the Privacy and Security Rule

HIPAA requires healthcare organizations to recognize the patients' right to their information.

The Privacy Rule applies to cloud service providers, data centers, third-party contractors and vendors. The Privacy Rule mandates that these providers must have safeguards in place to protect electronic protected health information (ePHI). This comprises of any personal health information that is maintained electronically, such as electronic health records and electronic medical records.

Patients have the right to authorize sharing of their health records with third-party vendors. They can also request a copy of health records or request corrections to their records whenever required. HIPAA mandates that records should be retained for a period of six years.

The Security Rule specifies what kind of safeguards must be in place to protect ePHI. The rule requires healthcare organizations to have all required technical, administrative and physical safeguards in place to protect health information.

Technical Safeguards:

According to the HIPAA Security Rule, technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

  • Only authorized personnel should have access to the health records.
  • All devices storing or accessing health records must be monitored, and any changes to health records must be audited.
  • When sharing health records over the network, efforts must be taken to share them over secure transmission channels.
  • Effective safeguards must be in place to check if health information has been tampered with.

Administrative Safeguards

HIPAA defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

  • All business operations that could pose a threat to the safety of patient information must be analyzed. Security measures should be implemented to circumvent or minimize these risks.
  • Designated personnel should be put in charge of overseeing security measures and making sure that HIPAA mandated protocols are followed.
  • Role-based authorization should be strictly enforced to ensure that only authorized personnel can access health records.
  • Employees who have access to ePHI must be trained in maintaining the safety of the patient information and should constantly be updated on the new technology, protocol, and security measures.
  • Security policies must be tested for loopholes in the systems.

Physical Safeguards

HIPAA defines “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

  • Access to storage facilities where the data is held must be given to only authorized personnel.
  • Devices that authorized employees use to access ePHI must have security measures in place.
  • Security plans that include the removal, or destruction of compromised devices must be implemented without any harm to patient records.

Penalties for HIPAA violations

HIPAA violation penalties are within a bracket of $100 to $50,000 per violation based on the level of negligence by those involved.

Violations are treated as two kinds: i) Reasonable cause ii) Willful neglect Reasonable cause violation penalties vary between $100 to $50000 per violation, whereas willful neglect of HIPAA protocol could incur fines between $10000 and $50000, and could lead to pressing of criminal charges.

How ADAudit Plus can help you comply with the statutes in the HIPAA.

ADAudit Plus offers you a series of pre-configured reports to help manage different security aspects of your network. The intuitive dashboard also has a special section displaying reports related to various compliance laws.

Displayed below are the reports related to HIPAA compliance.
Image: The 'Compliance' tab shows reports that help you stay HIPAA compliant.

Reports available in ADAudit Plus to help you comply with the HIPAA:

  • Group Management

    This report shows you changes made to security and distribution groups; for example a user being added to or deleted from a group.

  • OU Management

    This report shows you all the changes made to organizational units. For example, a new OU was created, or an existing OU was deleted.

  • Recent User Logon Activity

    The report displays recently logged on users, from which workstations they have logged on from, if the logon was a success and why a logon failed.

  • Logon failures

    The report displays a list of logon failures with comments on what type of error caused the logon failure; for example, a bad password entry.

  • User Management

    This category of reports shows you a list of user accounts that were created, deleted or disabled.

  • Computer Management

    This section shows you a list of computer accounts that may have been created or deleted or modified.

  • Logon Duration

    This report describes a user's logon-related details like logon and logoff time, logon type, which workstation the user logged in from, and for how long they were logged in.

  • All File and Folder Changes

    This report lists all the changes made to a file or folder. For example a folder's owner was changed, or a file was created or deleted or modified. You can also see if a content of a file were copied and pasted elsewhere.

  • Remote Desktop Services Activity

    This report describes any attempts to logon to your network remotely.

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the HIPAA. To learn more, visit https://www.manageengine.com/active-directory-audit/

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free
 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote