frank-luongt/plugins/faos-ciso/skills/hipaa-security-rule

<!-- AUTO-GENERATED by export-plugins.py — DO NOT EDIT -->

---

name: hipaa-security-rule description: HIPAA Security Rule safeguard requirements for protecting electronic protected health information (ePHI) across administrative, physical, and technical controls tags: [compliance, security]

HIPAA Security Rule Safeguards

Overview

The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) establishes national standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of ePHI.

The rule organizes requirements into three safeguard categories, each containing standards with implementation specifications. Specifications are classified as either Required (R) -- must be implemented exactly as described -- or Addressable (A) -- the entity must assess whether the specification is reasonable and appropriate, and if not, document why and implement an equivalent alternative.

When to Use This Skill

• Designing healthcare SaaS applications that handle ePHI.
• Performing a HIPAA Security Rule risk assessment.
• Mapping technical controls to HIPAA requirements during compliance audits.
• Reviewing cloud infrastructure configurations for HIPAA compliance.
• Building audit logging systems for healthcare data access.
• Evaluating business associate agreements (BAAs) for security requirements.

How It Works

Step 1: Identify ePHI

Inventory all electronic protected health information your organization creates, receives, maintains, or transmits. Map data flows to understand where ePHI resides at rest, in transit, and in use. Document every system, application, and endpoint that touches ePHI.

Step 2: Conduct Risk Assessment

Perform a comprehensive risk assessment as required by 164.308(a)(1)(ii)(A). Identify threats and vulnerabilities to ePHI for each system. Evaluate the likelihood and impact of each threat. Assign risk levels and document findings in a risk register.

Step 3: Map Safeguards to Standards

Align each identified risk to the applicable HIPAA safeguard category and standard:

Administrative Safeguards (164.308):

| Standard | Key Specifications | Type | |----------|-------------------|------| | Security Management Process | Risk analysis, risk management, sanction policy, information system activity review | R, R, R, R | | Assigned Security Responsibility | Designate a security official | R | | Workforce Security | Authorization/supervision, workforce clearance, termination procedures | A, A, A | | Information Access Management | Access authorization, access establishment and modification | A, A | | Security Awareness and Training | Security reminders, malicious software protection, log-in monitoring, password management | A, A, A, A | | Security Incident Procedures | Response and reporting | R | | Contingency Plan | Data backup plan, disaster recovery, emergency mode operations, testing, criticality analysis | R, R, R, A, A | | Evaluation | Periodic technical and non-technical evaluation | R | | BAA Contracts | Written contracts with business associates | R |

Physical Safeguards (164.310):

| Standard | Key Specifications | Type | |----------|-------------------|------| | Facility Access Controls | Contingency operations, facility security plan, access control and validation, maintenance records | A, A, A, A | | Workstation Use | Policies for workstation functions and environment | R | | Workstation Security | Physical safeguards restricting access to workstations | R | | Device and Media Controls | Disposal, media re-use, accountability, data backup and storage | R, R, A, A |

Technical Safeguards (164.312):

| Standard | Key Specifications | Type | |----------|-------------------|------| | Access Control | Unique user identification, emergency access procedure, automatic logoff, encryption and decryption | R, R, A, A | | Audit Controls | Hardware, software, and procedural mechanisms to record and examine ePHI access | R | | Integrity | Mechanism to authenticate ePHI, protect from improper alteration or destruction | A | | Person or Entity Authentication | Verify identity of persons seeking access to ePHI | R | | Transmission Security | Integrity controls, encryption | A, A |

Step 4: Implement Controls

Deploy technical and organizational controls that satisfy each standard. For Addressable specifications, document your assessment: if the specification is reasonable and appropriate, implement it; if not, document the rationale and implement an equivalent alternative measure.

Step 5: Document Policies and Retain Records

Create written policies and procedures for each safeguard. HIPAA requires documentation to be retained for six years from the date of creation or the date it was last in effect, whichever is later. Maintain evidence of training, risk assessments, incident responses, and policy reviews.

Examples

Example 1: Access Control Implementation for Healthcare SaaS

A healthcare SaaS platform managing patient records implements HIPAA Technical Safeguard 164.312(a):

# Access control architecture for ePHI-handling application
access_control:
  unique_user_identification:  # 164.312(a)(2)(i) - Required
    - enforce_individual_accounts: true
    - prohibit_shared_credentials: true
    - user_provisioning: "HR-triggered via SCIM"
    - deprovisioning_sla: "24 hours after termination"

  emergency_access_procedure:  # 164.312(a)(2)(ii) - Required
    - break_glass_accounts: 2
    - break_glass_mfa: "hardware token only"
    - break_glass_audit: "real-time alert to security team"
    - review_frequency: "every use, within 24 hours"

  automatic_logoff:  # 164.312(a)(2)(iii) - Addressable
    - session_timeout: "15 minutes idle"
    - reauthentication: "required after timeout"
    - sensitive_screens: "5 minutes idle"

  encryption_and_decryption:  # 164.312(a)(2)(iv) - Addressable
    - at_rest: "AES-256 via cloud KMS"
    - key_rotation: "annual, automated"
    - database_encryption: "TDE enabled"

  rbac_model:
    roles:
      - physician: "read/write own patients"
      - nurse: "read/write assigned unit"
      - admin: "user management, no clinical data"
      - billing: "read demographics and codes only"
    enforcement: "application-layer + database row-level security"

Example 2: Audit Log Requirements for ePHI Access

Implementing Audit Controls per 164.312(b) to record and examine activity in systems containing ePHI:

# Audit log schema for HIPAA-compliant ePHI access logging
AUDIT_LOG_FIELDS = {
    "event_id": "UUID - unique identifier for the event",
    "timestamp": "ISO 8601 with timezone - when the event occurred",
    "user_id": "Unique user identifier who performed the action",
    "user_role": "Role at time of access (physician, nurse, admin)",
    "patient_id": "Identifier of the patient whose ePHI was accessed",
    "action": "CREATE | READ | UPDATE | DELETE | EXPORT | PRINT",
    "resource_type": "medical_record | lab_result | prescription | image",
    "resource_id": "Identifier of the specific resource accessed",
    "access_reason": "treatment | payment | operations | emergency",
    "source_ip": "IP address of the requesting system",
    "user_agent": "Application or browser identifier",
    "outcome": "success | failure | error",
    "data_fields_accessed": "List of specific ePHI fields viewed or modified",
}

# Audit log retention and protection requirements
AUDIT_REQUIREMENTS = {
    "retention_period": "6 years minimum (HIPAA documentation requirement)",
    "immutability": "write-once storage, no modification or deletion",
    "encryption": "AES-256 at rest, TLS 1.2+ in transit",
    "access_to_logs": "security team only, separate from clinical access",
    "review_frequency": "daily automated anomaly detection, weekly manual review",
    "alerting": "real-time alerts for: bulk access, after-hours access, "
                "break-glass use, access to VIP patients, export operations",
}

Best Practices

Do This

• Perform a risk assessment annually and after any significant change to systems or operations.
• Encrypt ePHI both at rest and in transit, even where the specification is Addressable.
• Implement unique user IDs and prohibit shared accounts for any system touching ePHI.
• Log all access to ePHI with sufficient detail to answer who, what, when, where, and why.
• Include workforce training as part of onboarding and conduct annual refresher training.
• Test your contingency plan (backup and disaster recovery) at least annually.
• Document every Addressable specification decision, including alternatives chosen.

Don't Do This

• Do not treat Addressable specifications as optional -- you must assess, document, and act.
• Do not rely solely on network perimeter security; defense in depth is expected.
• Do not store ePHI in unencrypted email, spreadsheets, or personal devices without controls.
• Do not grant broad access permissions; enforce minimum necessary access for each role.
• Do not allow audit logs to be modifiable by the systems or users they monitor.
• Do not assume cloud provider BAAs cover all your responsibilities -- the shared responsibility model applies.

Security Checklist

Administrative Safeguards:

• [ ] Security official designated and documented
• [ ] Risk assessment completed and risk register maintained
• [ ] Workforce security procedures (authorization, clearance, termination) in place
• [ ] Security awareness training program active with documented completion
• [ ] Incident response procedures documented and tested
• [ ] Contingency plan (backup, DR, emergency mode) documented and tested
• [ ] Business associate agreements executed with all applicable vendors
• [ ] Periodic evaluation schedule established

Physical Safeguards:

• [ ] Facility access controls implemented and documented
• [ ] Workstation use policies defined and enforced
• [ ] Workstation physical security measures in place
• [ ] Device and media disposal procedures documented and followed

Technical Safeguards:

• [ ] Unique user identification enforced across all ePHI systems
• [ ] Emergency access (break-glass) procedure documented and tested
• [ ] Automatic session logoff configured for ePHI-accessing applications
• [ ] Encryption implemented for ePHI at rest and in transit
• [ ] Audit logging enabled with tamper-proof storage and regular review
• [ ] ePHI integrity controls (checksums, digital signatures) in place
• [ ] Person/entity authentication (MFA) required for ePHI access
• [ ] Transmission security (TLS 1.2+) enforced for all ePHI in transit

Related Skills

• @compliance-crosswalk -- Map HIPAA controls to NIST, SOC 2, and ISO 27001 equivalents
• @nist-csf -- Align HIPAA safeguards with NIST CSF 2.0 functions and categories
• @ir-playbook-templates -- Build HIPAA-compliant breach notification and incident response playbooks
• @soc2-controls -- Cross-reference HIPAA administrative safeguards with SOC 2 Trust Services Criteria
• @gdpr-reference -- Compare HIPAA and GDPR requirements for organizations handling both US health data and EU personal data

Additional Resources

• HHS HIPAA Security Rule text: 45 CFR 164.302-318
• HHS Security Rule guidance: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
• NIST SP 800-66r2: Implementing the HIPAA Security Rule
• HHS Breach Notification Rule: 45 CFR 164.400-414
• OCR enforcement actions and resolution agreements: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement

<!-- Source: .faos/custom/skills/security/hipaa-security-rule/SKILL.md -->