Business Objects - HIPAA Security Rule, HIPAA Privacy Rule

Do the HIPAA Privacy Rule, and by extension, the HIPAA Security Rule, apply to your Business Objects deployment?

The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an attempt to balance the needs of the system vs. the privacy of the individual. Improving the portability of individually identifiable health information encourages better integration of health services. Improving accountability protects the confidentiality of that shared information.

Business Objects automatically improves the portability of information, and its robust security is an efficient means of controlling access to that information, but there is more to the HIPAA Security Rule's definitions of accountability. Your Business Objects deployment must not only comply with accountability provisions; it must also have the audit controls to demonstrate that it complies.

HIPAA Privacy Rule - Application

According to the U.S. Department of Health & Human Services (HHS), the HIPAA Security and Privacy Rules apply to "health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form," and covers "all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form."

If you are such an organization, and such electronic information is created, received, maintained or transmitted via SAP Business Objects, then your Business Objects deployment is subject to the provisions of the act.

HIPAA Privacy, Security Rules - What Are They?

HHS's Summary of the HIPAA Security Rule lays out the basics:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule

…The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called "covered entities" must put in place to secure individuals' "electronic protected health information" (e-PHI).

Essentially, the HIPAA Privacy Rule lays out the business requirements, while the HIPAA Security Rule lays out the technical requirements. Together, they describe the target environment for healthcare information portability and accountability.

HIPAA Violations, Penalties, Enforcement

The Act also requires that your organization have a HIPAA security officer charged with the development and implementation of security policies and procedures (45 C.F.R. § 164.308(a)(2)). These policies and procedures are meant to prevent HIPAA violations, and to minimize HIPAA penalties. According to the American Medical Association (AMA), civil penalties for violations can be up to $50,000 per violation, to an annual maximum of $1.5 million. Criminal penalties (e.g., for violations committed with the intent to sell, transfer, or use information protected by the Act) can include a fine of up to $250,000, and imprisonment for up to 10 years.

HIPAA is at the forefront of online privacy regulation. The civil and criminal penalties for HIPAA violations can be substantial, but avoiding damage to the organization's reputation is at least as important. It is the role of the HIPAA security officer to manage risk and to preserve the reputation of the organization. Constant renewal of security measures, policies and procedures is not just expected. It is legislated:

Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment. (Summary 45 C.F.R. § 164.306(e))

Implementation of HIPAA has been complicated by the wide variations in organizational types and sizes, and by the fact that it is an evolving standard. As the HIPAA timeline progresses through 2013 and 2014, HIPAA compliance becomes both more complex and more critical.

HIPAA and Business Objects Audit

Your Business Objects security model controls who has access to the information in your system, but you also need audit controls to demonstrate who accessed what, and when.
Further, it is not enough to have policies and procedures in place to protect the confidentiality of individually identifiable information. The organization must also have audit controls that record activity in relation to such information:

A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
(45 C.F.R. § 164.312(b))

Note that it is not enough to record this information. You must also have procedures for examining it and acting on it.

HIPAA and Business Objects Archive, Backup, Selective Restore, DRP

How well developed is your Business Objects backup, archive, selective restore, and disaster recovery strategy? If your company is a "covered entity" under HIPAA, this strategy is critical.

The HIPAA Security Rule exists to protect the confidentiality of individually identifiable health information, but also to protect its integrity and its availability:

Under the Security Rule, "integrity" means that e-PHI is not altered or destroyed in an unauthorized manner. "Availability" means that e-PHI is accessible and usable on demand by an authorized person. (45 C.F.R. § 164.304)

As a healthcare consumer, you may:

  • Ask to see and get a copy of your health records
  • Have corrections added to your health information
  • Receive a notice that tells you how your health information may be used and shared
  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
  • Get a report on when and why your health information was shared for certain purposes
  • If you believe your rights are being denied or your health information isn’t being protected, you can
    • File a complaint with your provider or health insurer
    • File a complaint with the U.S. Government

In the event of a request from a consumer, or from internal or government personnel investigating a request or complaint, you must be able to produce records quickly and efficiently.

APOS Solutions for HIPAA Compliance

APOS well managed BI solutions solve many of the administrative challenges you will encounter in your drive toward HIPAA compliance:

  • APOS Insight enhances your system auditing capabilities so you can analyze security settings and system usage. It gives you a complete picture of your security settings for analysis and comparison over time.
  • APOS IDAC lets you audit which patients are listed in every report. Coupled with Business Objects Audit capabilities, IDAC enables you to know who saw which patient records and when.
  • APOS Publisher is an advanced Business Objects publishing solution that lets you publish reports according to complex business rules, automating encryption to secure protected health information.
  • APOS Storage Center lets you archive reports for long term storage and export them to a data source independent format (such as PDF) to protect data integrity and access. Selective restore makes reports readily available for audit and authorized access. Reports can be stored outside the Business Objects system for added security, and improved system performance.
  • APOS Administrator lets you bulk manage and exert granular control Business Objects system, including security, reports, and instances. It automates many processes, liberating your resources for higher-ROI activities, and reducing human error.