HIPAA Security Overview


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has two parts. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title II has five rules: the Privacy Rule (45 CFR 164.501, 164.508, 164.512(i)), the Security Rule (45 CFR Part 160 and Part 164, Subparts A and C), the Transactions and Code Sets Rule, the Unique Identifiers Rule, and the Enforcement Rule.

This publication provides information and comments on legal issues and developments of interest to our customers. The material is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed in this publication. Any statements herein are qualified in their entirety by reference to the full text of such laws. Compliance with applicable laws remains your sole responsibility. Commvault products, when used in conjunction with a comprehensive compliance plan, have a robust set of features, including encryption, access controls, data integrity controls and other security features that can help satisfy required HIPAA, and other, regulations.

For complete information about HIPAA privacy rules, go to The HIPAA Privacy Rule.

Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (health care clearinghouses, employer sponsored health plans, health insurers, medical service providers), and independent contractors that perform functions of covered entities (defined as "business associates").

Security Rule

The Security Rule deals specifically with Electronic Protected Health Information (ePHI) by setting security standards that are divided into the categories of Administrative, Physical, and Technical Safeguards.

  1. Administrative Safeguards (45 CFR Section 164.308) Policies and Procedures to show how Covered entities (entities that must comply with HIPAA requirements) comply with HIPAA by maintaining security measures to protect electronic information, and manage the conduct of the covered entity’s employees.

    • Create written privacy procedures and designate a privacy officer to develop and implement them.

    • Procedures must reference management oversight and compliance with documented security controls. (Security management process, Section 164.308(a)(1))

    • Employees or classes of employees must be identified who have access to electronic protected health information (ePHI). Access must be restricted to only employees who need it to complete their job function. (Workforce security, Section 164.308(a)(3))

    • The procedures must address access authorization, establishment, modification, and termination. (Information access management, Section 164.308(a)(4))

    • Entities must provide an ongoing training program regarding the handling of PHI.

    • Third party vendors must comply with HIPAA requirements, typically through contracts stating the vendor will meet the same data protection requirements that apply to the covered entity.

    • An emergency contingency plan covering backing up data and disaster recovery, data priority and failure analysis, testing activities, and change control. (Contingency plan, Section 164.308(a)(7))

    •  Internal audits should review information systems to identify security violations. Document the scope, frequency, and procedures of audits. Audits should be both routine and event-based. (Information system activity review, Section 164.308(a)(1)(ii)(D))

    • Document how to respond to security breaches identified during the audit or the normal course of operations.

  2. Physical Safeguards (45 CFR Section 164.310)

    Controlling physical access to protect against inappropriate access to protected data.

    • Control the introduction, removal and retirement of hardware and software from the network. (Device and media controls, Section 164.310(d)(1))

    • Access to equipment containing health information should be carefully controlled and monitored. (Facility security plan, Section 164.310(a)(2))

    • Access to hardware and software must be limited to properly authorized individuals. (Access control and validation procedures, Section 164.310(a)(2))

    • Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.

    • Policies for proper workstation use include removing them from high traffic areas and from direct public view.

    • If the covered entities utilize contractors, they must be trained on their physical access responsibilities.

  3. Technical Safeguards (45 CFR Section 164.312)

    Controlling access to computer systems and protecting communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.

    • Information systems housing PHI must be protected from intrusion. When PHI flows over open networks, encryption must be utilized. If closed systems/networks are utilized, existing access controls sufficient and encryption is optional. (Encryption and Decryption, Section 164.312(a)(2)(iv))

      You can encrypt the data that is moved over a network by Commvault (at the client level) and across copies of the data that Commvault creates.

      Best practice: Review the guidance that the US Department of Health and Human Services provides to determine the encryption technologies that are acceptable. For more information, see Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.

      For information about how to configure encryption for a client, see Configuring Data Encryption on a Client.

      For information about how to configure encryption for a storage policy copy, see Configuring Data Encryption on a Storage Policy Copy.

    • PHI data must not be changed or erased without authorization. (Integrity, Section 164.312(c)(1))

      The Commvault solution uses role-based security that you can use to restrict users from performing restore or erase operations. For more information, see User Administration and Security Overview.

    • Data corroboration, including the use of checksum, double-keying, message authentication, and digital signature, may be used to ensure data integrity. (Mechanism to authenticate Electronic Protected Health Information (ePHI), Section 164.312(c)(2))

      The Commvault software uses CRC checksums that are used for network transmission and writing the data to media.

      For information about how to enable the CRC validation, see Cyclic Redundancy Check (CRC) Validation.

    • Covered entities must also authenticate entities with which they communicate. Authentication consists of corroborating that an entity is who it claims to be through passwords, handshakes, telephone/text callback, or token systems. (Person or entity authentication, Section 164.312(d))

      The Commvault solution provides the following authentication methods:

    • Document risk analysis and management. Consider operational risk as systems are implemented. Covered entities must take reasonable precautions to prevent PHI from improper use or disclosure.

    • Automatic logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (Automatic logoff, Section 164.312(a)(2)(iii))