[US] Healthcare Services (HIPAA) Compliance report
The [US] Healthcare Services (HIPAA) Compliance Report helps you assess your web application's security against the U.S. Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
About the HIPAA Security and Privacy Regulations
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996. It is designed to protect the privacy and security of individuals' health information and to improve the efficiency of healthcare systems.
HIPAA has several key purposes:
- Privacy: Protects patients' rights by controlling how personal health information (PHI) is used and disclosed.
- Security: Sets standards to safeguard electronic protected health information (ePHI) against unauthorized access, alteration, or loss.
- Portability: Ensures that health insurance coverage is maintained when individuals change or lose jobs.
- Administrative Simplification: Standardizes electronic healthcare transactions and coding to improve efficiency and reduce costs.
HIPAA includes several main rules:
- Privacy Rule (2003): Defines Protected Health Information (PHI), sets limits on its use and disclosure, and grants patients rights to their records.
- Security Rule (2005): Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). This includes risk assessments and access controls.
- Breach Notification Rule (2009): Requires notification to affected individuals, Health and Human Services (HHS), and sometimes the media in the event of a data breach.
- Enforcement Rule: Outlines investigation processes and penalties for non-compliance, which can include significant fines and possible criminal charges.
HIPAA was enacted on August 21, 1996. Key compliance deadlines include:
- Privacy provisions: April 14, 2003
- Security provisions: April 21, 2005
- Breach Notification Rule: September 23, 2009
Covered entities
The following organizations are typically required to comply with HIPAA:
- Health plans, healthcare providers, and healthcare clearinghouses.
- Business associates, such as vendors and contractors, that handle PHI (for example, cloud providers or billing services).
AppScan Enterprise HIPAA compliance report
AppScan Enterprise's HIPAA compliance report automatically identifies potential issues within your web environment that might affect your overall compliance with the HIPAA Security Rule. The report also references related activities outlined in the NIST Resource Guide for Implementing the HIPAA Security Rule.
Report terminology
- Addressable Issue
- As it appears in this report, this means a covered entity must:
- Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and
- As applicable to the entity:
- Implement the implementation specification if reasonable and appropriate; or
- If implementing the implementation specification is not reasonable and appropriate:
- Document why it would not be reasonable and appropriate to implement the implementation specification; and
- Implement an equivalent alternative measure if reasonable and appropriate.
- Possible Issue
- As it appears in this report, this means the detected results might imply that a required implementation specification is not met.
HIPAA compliance report vulnerabilities
The following table lists the specific HIPAA Security Rule requirements that are evaluated. Vulnerabilities found in your application are mapped to these sections.
| ID | Name |
|---|---|
| S.Rule - Part 164, Subpart C, 164.308(a)(3)(i) | Addressable Issue - Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information. |
| S.Rule - Part 164, Subpart C, 164.308(a)(3)(ii)(A) | Addressable Issue - Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. |
| S.Rule - Part 164, Subpart C, 164.308(a)(4)(i) | Possible Issue - Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part the Privacy Rule. |
| S.Rule - Part 164, Subpart C, 164.308(a)(4)(ii)(B) | Possible Issue - Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. |
| S.Rule - Part 164, Subpart C, 164.308(a)(5)(ii)(D) | Addressable Issue - Implement procedures for creating, changing, and safeguarding passwords |
| S.Rule - Part 164, Subpart C, 164.312(a)(1) | Possible Issue - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in section 164.308(a)(4). |
| S.Rule - Part 164, Subpart C, 164.312(a)(2)(iv) | Addressable Issue - Implement a mechanism to encrypt and decrypt electronic protected health information. |
| NIST Resource Guide - Section 4.14, Activity 8 | Addressable Issue - Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
| S.Rule - Part 164, Subpart C, 164.312(c)(1) | Possible Issue - Implement policies and procedures to protect private health information from improper alteration or destruction |
| S.Rule - Part 164, Subpart C, 164.312(d) | Possible Issue - Implement procedures to verify that a person or entity seeking access to private health information is the one claimed |
| S.Rule - Part 164, Subpart C, 164.312(e)(1) | Possible Issue - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. |
| S.Rule - Part 164, Subpart C, 164.312(e)(2)(ii) | Addressable Issue - Implement a mechanism to encrypt electronic private health information whenever deemed appropriate |