HIPAA COMPLIANCE

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

WHAT IS HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to, among other things, develop regulations that protect the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes standards for privacy controls involving health information, dubbed protected health information (PHI). The Security Rule establishes standards for security controls involving electronic PHI that directly impacts database security in the enterprise. Furthermore, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 contains specific incentives designed to accelerate the adoption of electronic health record systems among providers as well as more enhanced controls around the original HIPAA Security Rule including new breach notification and enforcement requirements.

Omnibus Rule

In 2013, a new set of HIPAA-related requirements called the Omnibus Rule was enacted to further strengthen the HIPAA and HITECH controls. The biggest changes brought about by the Omnibus Rule related to information privacy and security were a requirement that all business associates and their subcontractors must now follow the HIPAA and HITECH requirements as a traditional “covered entity” would. The Omnibus Rule also brought about an increase in civil penalties related to non-compliance.

HIPAA COMPLIANCE CHECKLIST

In order to define the proper HIPAA requirements baselines, audit database object/data changes, and report the appropriate database privacy and security-related findings to auditors and regulators, you must be able answer the following questions:

Who has access to my electronic PHI, and how do I audit the activity?
How do I define a secure baseline and maintain it across my SQL Server environment?
How can I implement repeatable processes to help maintain the security standards?
How do I audit permissions, logins, and object and data changes on my SQL Server?
What is the best way for me to ensure not only ongoing compliance with the HIPAA, HITECH, and Omnibus Rule regulations but also help maintain reasonable security across my SQL Server databases?

Addressing HIPAA regulations with

SQL SECURE

A key course of action to comply with HIPAA is developing, maintaining and enforcing internal controls and procedures for your IT environment. IDERA SQL Secure is a necessary tool for establishing the right controls to meet those regulations. SQL Secure is a security analysis and management solution that helps IT and security administrators and managers identify Microsoft SQL Server security access violations and ensures that security policies are enforced. You can find out who has access to what and identify each user’s effective rights across all SQL Server objects. Furthermore, you can also alert on violations of your corporate policies, and secure your environment (internally and externally) from the most common methods of intrusion.

SQL Secure helps IT organizations address the requirements of the HIPAA security standards where they apply to SQL Server. SQL Secure helps you to define your SQL Server baselines by providing a customizable IDERA-defined template (HIPAA Guidelines for SQL Server), which provide a “realistic” guideline for establishing the appropriate security checks for your environment. In addition, it can also extract your permissions and settings from any point in time and identify any changes or vulnerabilities that may exist. This gives you the power to proactively address these exceptions before reports are delivered to your auditors.

Addressing HIPAA regulations with

SQL COMPLIANCE MANAGER

SQL Compliance Manager is a comprehensive Microsoft SQL Server auditing solution that uses policy-based algorithms to track changes to your SQL Server objects and data. SQL Compliance Manager provides continuous auditing of all SQL Server activity by identifying who did what, when, how and whether the event is initiated by privileged users or hackers. SQL Compliance Manager goes beyond traditional auditing approaches by providing custom real-time monitoring and auditing of all data access, updates, schema modifications and permission changes. Audited data is collected and securely stored for forensic analysis and reporting. It also provides tamper-proof data security features as well as methods for watching events without exposing account information. Additionally, SQL Compliance Manager provides a robust alerting engine that contains counters and trend graphs to identify activity level deviations often associated with suspect activities. Such visibility into your SQL Server database environment helps ensure ongoing compliance with the existing HIPAA-related security standards and scale to meet security best practices moving forward.

IDERA understands that IT doesn’t run on the network – it runs on the data and databases that power your business. That’s why we design our products with the database as the nucleus of your IT universe. Our database lifecycle management solutions allow database and IT professionals to design, monitor and manage data systems with complete confidence, whether in the cloud or on-premises. We offer a diverse portfolio of free tools and educational resources to help you do more with less while giving you the knowledge to deliver even more than you did yesterday. Whatever your need, IDERA has a solution.

Join our email list and receive the latest case studies, event updates, product news, and much more.




