Meeting HIPAA Requirements with Role-Based Access Control
The need to control costs, while delivering optimal care for patients, provides health care organizations (HCOs) with a tremendous incentive to place more of their clinical applications and health care information on-line. By Web-enabling applications such as electronic patient records (EPR) and computer physician order entry (CPOE), hospitals can provide anytime-anywhere access to clinicians, thereby increasing efficiency and improving patient care. Meanwhile, health plans and insurance companies are developing portals for care management and claims processing, which reduces costs and enables them to be more responsive to their members.
Yet this online transition presents significant security risks for HCOs, who need to implement access control as part of these initiatives to ensure that the right people get the right information at the right time. Under the U.S. Federal Health Insurance Portability and Accountability Act (HIPAA), HCOs are required to protect information from unauthorized users. Specifically, these HIPAA regulations require that HCOs determine and manage which users have access to what information, based on a user's function within an organization As a result, many organizations have implemented role-based access control (RBAC) to meet these standards.
The deadline to achieve compliance under the HIPAA Privacy Rule was April 14, 2003, so many HCOs are already deploying RBAC systems as part of their compliance strategy. The HIPAA Security Standard was published as a final rule in the Federal Register on Feb. 20, 2003, with a compliance deadline of April 21, 2005. Although the deadline to comply is almost two years away, it still has an immediate impact on an organization's compliance efforts.
Privacy defines what information is to be protected; while Security defines how to safeguard that information, in electronic form. The rules are inextricably linked, "It should be noted that the implementation of reasonable and appropriate security measures also supports compliance with the privacy standards, just as the lack of adequate security can increase the risk of violation of the privacy standards.
As most HCOs realize, compliance is an ongoing effort. Organizations will continually enhance their security measures as they work toward better levels of compliance. "It is important to recognize that security is not a one-time project, but rather an on-going, dynamic process." It is an expectation of the Security rule that an HCO reevaluate and upgrade security safeguards as their organization's information systems and environment changes and as new security technologies are available.
Why RBAC?
The need for RBAC stems from the HIPAA Privacy Rule's minimum necessary provisions. These standards state that HCOs must only disclose the minimum necessary information required to accomplish an intended purpose.
"When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."
The minimum necessary standards then require that access to health information must be based on job function. An HCO must determine who requires access to health information to do their job, and exactly what kind of information they need.
"A covered entity must identify: (a) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and (b) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access."
The bottom line is that HIPAA Privacy requires that covered entities provide workers with access to only the minimum necessary information needed to perform their work, given their particular role in the organization-and the most effective way to do this is role-based access control. HCOs are expected to develop policies and procedures and implement security measures that comply with the minimum necessary standards.
It should be noted that there are several types of disclosures that are exempt from the minimum necessary provisions, including disclosures for treatment purposes; as well as those made to the individual, to the Department of Health and Human Services, and required by law.
However, "Uses of protected health information for treatment are not exempt from the minimum necessary standard." The Privacy Rule leaves it up to the covered entity how to appropriately and reasonably limit access to health information within the covered entity...the covered entity may develop role-based access policies that allow its healthcare providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes."
With the HIPAA Security Rule, the Technical Security Safeguards have a general requirement for access control and it is up to the covered entities to determine the best way to meet this standard. Generally, access control takes business rules and security profiles into consideration to establish and enforce policy around which users are granted the privilege to access appropriate resources.
For Web environments, several levels of access management are possible:
Course-grained, which limits access at the URL level to protect individual servers and their contents;
Medium-grained, which provides conditional access to directories and files based on access control lists; and,
Fine-grained, which controls what users can see and do once they have access to online applications.
Most health care organizations (HCOs) need to implement fine-grained authorization protocols, since their users must be granted specific access privileges that define actions they may perform. For a health plan, an affiliated physician may need to submit claims; while a claims specialist may need to approve claims. In a hospital, an X-ray technician may need to upload images to a web site; while a physician may need to view, provide notations or sign the image files. In meeting the HIPAA Security standard for access control, many HCOs are combining rule and policy-based access control with role-based access control, which provides efficiency and helps meet the HIPAA Privacy requirements.
Implementing RBAC in Health Care
Role-based access control is a system whereby rights and permissions are granted to roles rather than individual users. Once an organization establishes roles, users then acquire the necessary rights and access permissions by being assigned to an appropriate role. By grouping individuals with others having similar access rights, RBAC can streamline security management.
To implement RBAC technology, HCOs begin by defining the organization's user roles, which, for a hospital, may include physician, nurse, billing clerk, lab technician or patient. For a health plan, the user roles may include claims specialist, case manager, provider services coordinator, broker or member. Each role is a class of users that requires similar access rights.
RBAC systems should support as many instances as necessary for each given role, whether thousands of nurses (in a large delivery system) or hundreds of brokers (at a health plan). These systems should also support role sub-classes, such as an intern role within the general physician role.
Another important requirement is inheritance. Inheritance allows HCOs to change privileges for a specific role and at the same time, all associated subordinate roles. For example, when a change is made to the physician's access rights, all sub-classes, such as intern would correspondingly be changed.
HCOs should also implement a method to handle exceptions and exclusions to the roles established within their RBAC system for cases when there are differences between a particular user's work scenario and the general model set up for his or her role. For example, an individual may be assigned to the intern role, but may only have privileges to surgery information for a single hospital ward. An employee in a health plan may be designated a "claims specialist" and only need to work with claims from a certain geographic region.
Access permissions should not only allow or deny access to a particular resource or application, but also should delineate all possible activities that may be required for that role, once they have access (viewing, creating, editing, signing, releasing, amending, copying and archiving a file). Another important capability is generating queries to view and edit permissions granted to roles. For example, the designated security administrators should be able to perform queries such as "Show all groups authorized to view this document.
An essential part of RBAC is generating logs and reports for auditing purposes. An HCO must be able to monitor a user's activities and track accesses to particular files. Auditing is necessary to support compliance with the HIPAA Privacy and Security Rules and ensures good security practices in general.
Project Planning
While every organization's project will be different, there are a number of factors to consider when planning a role-based access control project in health care.
Determining the number of roles is an important factor and will depend on business need; the more roles there are, the harder it will be to maintain, but too few roles will not be secure. For role inventory, the HCO's information technology (IT) department will need to work with various operational and administrative departments, including human resources (HR). Careful upfront planning can help HCOs deal with the many challenges involved in getting roles properly defined and maintained. Information sharing will be key.
The first step in defining roles might be surveying management and staff to determine what resources and data they need to access to do their job. From this information, positions within the organizational structure can be categorized into classes of users who have similar access needs. Then each role can be matched to a collection of resources: systems, programs, applications, files and data fields.
There is added complexity within most HCOs, since people can be assigned to multiple roles and there are permanent roles such as surgeon, and temporary roles such as consulting physician. Once roles are defined and implemented, HCOs should develop and implement a defined, regular role review and update.
Another part of the planning process is for HCOs to do a complete data inventory of all of the active applications. Data may be classified into various types (clinical, administrative) and according to sensitivity (records pertaining to HIV, abortion and mental health might have stricter access requirements than other patient records).
Planning also should include identifying all of the business and technology resources required and any possible resource constraints. For example, IT must be available to do the development and production and the HR department should be on hand to do information collection and processing.
Finally, the project plan should build-in a periodic audit and maintenance schedule once RBAC is implemented. This is a critical success factor to ensure that access is being controlled according to the organization's policies as roles, users, applications, files and policies change-and for ensuring compliance with HIPAA and other regulations.
Web Access Management for RBAC
Within Web environments, a Web access management solution can provide the technical infrastructure to implement RBAC. Solutions like RSA ClearTrustsoftware help HCOs and other organizations secure user access to Web applications within intranets, extranets, portals and exchange infrastructures and protect Web servers, directories, applications or specific files. The software also provides fine-grained control over what users can access and which actions they can perform.
Blue Cross Blue Shield (BCBS) of Kansas, an independent member of BCBS Association with 700,000 members and 2,000 employees, is an example of a health plan that recently implemented a web access management solution in order to achieve many objectives and meet HIPAA requirements. BCBS wanted to ensure that only authorized users could access confidential health information, enable single-sign on to multiple Web-based applications, save time on security administration, and provide different users with access to different views - through role-based access control. Their user population includes employees, members, brokers and providers. As part of their solution, they also implemented graded authentication-some users (remote employees, remote-hospital nurses and in-house IT administrators) use two-factor authentication; while BCBS members use passwords.
RBAC is an efficient way of giving authorized users access to information, while preventing information disclosures to unauthorized users. A web access management solution can help HCOs meet HIPAA Privacy and Security requirements, mitigate numerous kinds of security risks, and lower administrative costs.
This article originally appeared in the July 2003 issue of HME Business.