Related Topics
About HIPAA Compliance Reports
The United States Health Insurance Portability and Accountability Act (HIPAA) security rule includes a series of administrative, technical, and physical security safeguards that organizations in the United States must follow to make sure that electronic protected health information (EPHI) is confidential. Healthcare organizations routinely use various IT applications for billing, payment, clinical decision-making, and workflow management. As personal and confidential information passes across networks, between health providers, employers, and insurance companies, organizations must protect this data to maintain HIPAA compliance.
All HIPAA covered entities must comply with the Security Rule. In general, the standards, requirements, and implementation specifications of HIPAA apply to these covered entities:
- Covered Health Care Providers — Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
- Health Plans — Any individual or group plan that provides or pays the cost of health care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
For more information on who is a covered entity under HIPAA, see:
- The Office for Civil Rights (OCR) — www.hhs.gov/ocr/hipaa
- The CMS — www.cms.hhs.gov, see Regulations and Guidance
The HIPAA security rule consists of a number of safeguards in different areas:
- Administrative
- Physical
- Technical
Each set of safeguards includes a number of standards, which generally include a number of implementation specifications that are either required or addressable. If an implementation specification is required, the covered entity must implement policies and/or procedures that meet what the implementation specification requires. If an implementation specification is addressable, then the covered entity must assess whether it is a reasonable and appropriate safeguard in environment of that entity.
The Security Rule requires that a covered entity document the rationale for many of its security decisions.
Many of the HIPAA Administrative and Technical safeguards are broad and general in their statements and they do not specify technical implementation other than good security practices, such as user authentication, regular auditing and reporting, and incident management and response. Because of the privacy origins of HIPAA, the security safeguards also put a lot of emphasis on the encryption of data.
WatchGuard addresses these specific HIPAA compliance standards:
The Unique User Identification implementation specification states that a covered entity must: “Assign a unique name and/or number for identifying and tracking user identity.” User identification is a way to find a specific user of an information system, typically by name and/or number. A unique user identifier allows an entity to track specific user activity when that user is logged in to an information system. It enables an entity to hold users accountable for functions performed on information systems with EPHI when logged in to those systems.
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must: “Implement a mechanism to encrypt and decrypt electronic protected health information.”
Fireware XTM provides options to authenticate users and track network activity by user as well as by IP address. Single Sign-On with Active Directory is one option.
The Audit Controls standard requires a covered entity to: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
It is important to point out that the Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed. A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use EPHI.
To make sure that all users are complying with security policy, it is helpful to regularly monitor the most active clients, and clients that are blocked from actions that contravene security policy.
Branch Office VPNs can be used to encrypt traffic between different locations. Mobile VPNs can be used to make sure that remote employees are securely connected to the office or to a healthcare location. The configuration of the Firebox should be reviewed on a regular basis to verify that VPNs are configured for all locations specified in the company security policy.
1. Mechanism To Authenticate Electronic Protected Health Information (A) — § 164.312(c)(2)
“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” In general, authentication makes sure that people are who they claim to be before they are allowed access to EPHI.
1. Integrity Controls (A) — § 164.312(e)(2)(i)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must: “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
2. Encryption (A) — § 164.312(e)(2)(ii)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must: “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”
In addition to the use of VPNs to secure connections between locations, organizations that must comply with HIPAA rules should consider the SMTP TLS feature which can be used to make sure that email sent between two email servers that support TLS is encrypted.
Covered entities must: “Implement policies and procedures to address security incidents.”
You can configure Fireware XTM to send notifications and alarms in response to security events that occur on your network.
The Response and Reporting implementation specification states that covered entities must: “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.”
WatchGuard reports include several predefined reports that provide information to help you make sure that your network is compliant with HIPAA standards. These reports are included in the Compliance Reports group.
| Standard | Related Report | Report Description |
|---|---|---|
| Unique User Identification (R) — § 164.312(a)(2)(i) | Denied User Authentication Report | Detailed list of users denied authentication Includes date, time, and reason for authentication failure |
| User Authentication Report | Detailed list of users authenticated Includes login time, logout time, and connection method information | |
| Standard § 164.312(b) — Audit Controls | Audit Trail | Detailed list of audited configuration changes for a Firebox |
| Mechanism To Authenticate Electronic Protected Health Information (A) — § 164.312(c)(2) | Denied User Authentication Report | Detailed list of users denied authentication
Includes date, time, and reason for authentication failure |
| Security Incident Procedures — § 164.308(a)(6) Response And Reporting (R) — § 164.308(a)(6)(ii) |
Alarms | All alarm records |
| Alarm Summary | Summary report of all alarms | |
| Intrusion Prevention Service Summary | All intrusion prevention actions | |
| Gateway AntiVirus Summary | Gateway AntiVirus action summary |
View HIPAA Compliance Reports in Dimension
You can view PCI compliance reports from WatchGuard Dimension, or schedule the reports to be exported in a PDF file. For more information, see View Reports and Schedule Reports
Generate HIPAA Compliance Reports from Report Manager
To monitor your network and verify that it is HIPAA compliant, you can generate the related reports for each requirement.
- From the WSM Report Server, create a report schedule that includes the required Compliance Reports.
For detailed steps, see Configure Report Generation Settings. - Connect to WatchGuard WebCenter to View Compliance Reports in Report Manager.