HIPAAnotes
March 2004

Defining the Scope of Access Controls for Non-IS Systems

With the HIPAA Security Rule compliance date only a year away, many providers' Security Officers are evaluating their compliance with the Rule's requirements. One of the Rule's requirements is technical access controls for all systems containing electronic protected health information (ePHI). This Note discusses some of the issues surrounding access controls and the steps required to achieve compliance.

Understanding the Scope

The first step in achieving compliance with HIPAA's access controls requirement is to define the scope of the task at hand. While many Chief Information Officers (CIOs) and Chief Security Officers (CSOs) may wish to limit the effort to systems within the control of the Information Systems (IS) Department, the rule doesn't define this narrow focus. In reality, ePHI is resident on many other classes of non-IS systems including radiology, laboratory, and biomedical systems. A failure to protect these systems may result in a fine for non-compliance and potentially worse -- a privacy breach.

Security Officers need only look at the development trends for these non-IS systems to understand why the Security Rule addresses the broad requirement. Technology exists today to integrate radiology systems into the electronic medical record (EMR). Many of today's Picture Archiving and Communications Systems (PACS) vendors are using standard workstations and browser-based software to access radiology information. As technology continues to advance, the line between the IS and non-IS systems fades. The day is not far off when laboratory results and radiology reports are automatically posted to EMRs and pushed to physicians' portable computers. These non-IS systems are becoming more interconnected with the traditional IS systems, resulting in a security gap if not properly addressed.

Implementation Issues

Once the scope of access control is properly defined, it becomes apparent that the compliance responsibility extends beyond the realm of most CIOs. Providers must coordinate the actions of the radiology, laboratory, and biomedical device managers. Some models have the CIO orchestrating the compliance actions of all. Other models assign responsibility to the CSO. Whatever route your organization takes to address access control, it should encompass potential risks to ALL of your ePHI.

So, just how does one implement access control mechanisms on non-IS systems?

First, identify those non-IS systems that may contain ePHI. Look for hard drives, removable media such as floppy and optical disks, or network connections.
Second, document the technical safeguards that may be native to the system. Check with product vendors to see if the product supports Unique User Identification and Emergency Access Procedures. This process may resemble the due diligence that organizations faced during Y2K.
Third, include non-IS devices containing ePHI in all the organization's security policies and procedures. Provide for an "exception process" when the technology doesn't permit the use of access controls. Ensure that the CSO's responsibility extends to these non-IS systems.
Finally, include security requirements in all procurement and maintenance contracts for your non-IS systems that could create, store, or access ePHI. Properly written contracts will help reduce potential exposure of ePHI by requiring the purchase of HIPAA compliant non-IS systems. The contracts should also address overall security awareness and requirements for work performed by the vendors' maintenance technicians.

Be aware many older products that store ePHI do not have the capability to provide access control measures. For these systems, it may be necesary to provide other external access control measures, such as power locks or secure rooms. Some mobile systems may not be able to be protected. For these, providers must (at a minimum) document the risk and state that compliance cannot be achieved until the vendor develops an upgrade.

The bottom line is: be sure to consider ALL of your organization's ePHI when you institute access controls to be included in your overall security program!