6 Layers of Security to access ePHI and the HIPAA Security Rule

I once asked one of the virtual assistants in my team how many passwords she needed from a cold start to access patient information, she quickly said, “about 4”.  “Six”, I said. Her immediate look of incredulity changed as she counted the logins with her fingers.  Logging in came naturally for her so she didn’t realize it was that many.

Yes, she needed to correctly get through six layers of logins from a cold start to access information to start work.

All these layers protect what the HIPAA security rule refers to as “ePHI” or electronic protected health information.   This refers to individually identifiable information (in electronic form) about a person’s health condition, actions to deal with this condition or payment for these actions.

The Security Rule is one of the five HIPAA (Health Information Portability and Accessibility Act) rules.  The others are the Privacy Rule, the Unique Identifiers Rule, the Transaction and Code Sets Rule and the Enforcement Rule.   The Security Rule is focused on protection of ePHI.

The layers listed here are based on one of our actual processes.

Our virtual assistant encounters the first layer when she first turns on the computer….

Layer 1 – After turning on her computer, a password is needed to decrypt the drive.

Consistent with security rule requirements for encryption for “data at rest”, the hard drive is encrypted.   This is intended to protect data not only due to lost or stolen hardware but also nosey unauthorized repair people.   This encryption is set up when the computer is first configured but higher level encryption like Windows BitLocker can be set up later.  

In addition, for call center-based virtual assistants, there is a layer of security that verifies everyone that goes near their computers.   These can be a combination of keypad codes, ID’s and biometrics.   They correspond neatly to the triangle of authentication – “What you have”, “What you know” and “What you are” (the fourth – “What you know how to do”, is still quite rare).

HIPAA Security Rule requires that administrative, physical and technical safeguards are documented and implemented.  For example, physical access to information and documents that have protected health information should be limited to those who are authorized to access them.   Technical safeguards include implementing standards for passwords and encryption for each drive.

Layer 2 – She then logs into the Windows system of her computer to access her programs and data.

The virtual assistant then provides a windows password which is set by our administrator.  This allows her access only to folders allocated for her.

Virtual Assistants are considered Business Associates if independently managed.  Both individuals and the contracted company have signed Business Associate Agreements with providers that define the obligations of both parties to implement measures to protect health information.   Under many state laws and new laws (i.e. ARR Act), Business Associates are directly covered entities as well. 

Layer 3 – She logs into a program to securely access a computer in the remote client’s network

While logged into Windows, she opens the browser and logs in the program that will allow access to the specific computer in the client’s office that is assigned to her.   The “remote” computer is usually physically in the client’s network which becomes her workstation for the day.

She will see only the workstations she is allowed to access, usually a primary computer and a backup.   The connection between the computer in front of her the remote computer she plans to control is encrypted so it can’t be snooped on.

Some cloud (internet) based solutions like phones and portals do not require accessing a desktop in the client office.  They often require either a VPN (virtual private network) connection to have access to resources in the client location or a dual factor authentication.   The latter means that in addition to a password, the program will need an additional step like sending a code to a cellphone or email on file that usually belongs to the client manager, to essentially vouch for the user.

These connections are encrypted consistent with the Security Rule requirement of encryption for “data in motion.”

Layer 4 – She selects her assigned computer on the remote site and enters a Passphrase to access it.

After the virtual assistant selects her assigned computer, it asks for the passphrase so only she can access it.  The client can easily reset this passphrase anytime to block any access permanently or temporarily to the computer.

As part of administrative safeguards of the HIPAA Security Rule, we have documented security procedures which are revisited regularly as our operations change.  Roles and job descriptions are created and updated as needed.

Layer 5 – She logs into the Windows system in her assigned remote computer

After the virtual assistant enters the passphrase, she then logs in to the windows computer that she needs to access remotely.  Again, the user is only allowed access to her own folders in that computer.   This is set by the client systems administrator.

HIPAA requires that we provide periodic user training on its requirements to not only understand the rules but also appreciate the risks.   It underlines their roles and responsibilities pertaining to patient information.  The security procedures are also reviewed.

Layer 6 – She opens the Electronic Medical Record program and enters her assigned Password

Finally, the assistant can access the patient data after the 6th password.  This is set by the client office manager or administrator which also sets the access restrictions of each user.

Some solutions further require dual authentication.  This means that after the user logs in, if the program doesn’t recognize the user’s browser, it sends a code to the manager to verify the user via email or text.  The user can only access the program if the manager forwards the code.

Passwords for remote access, windows, and electronic health records allow an “audit trail.”  During normal use of the system, users essentially leave breadcrumbs behind (based on their passwords) that will allow administrators to track most of their actions.  This creates accountability and serves as a deterrent.



Security Safeguards and Risk Management

Security is like a chain whose strength is defined by its weakest link.  Password management is one of its most vulnerable aspects.  Having multiple layers managed by different administrators help negate this risk.

Each facility or operation should assess the various risks of data breaches (called Risk Assessment).  This means listing the things that can go wrong, what’s their likelihood and what’s the consequence of their happening.  From there, they can develop plans and procedures not just to keep them from happening but to also contain the damage if, God forbid, they happen.

This example illustrates how our virtual assistant needs to get all six logins correctly to even get to start work.   There are other safeguards that address other risks that we identified during our assessment.   Like many companies that support offices in the medical field, we consider protecting health and other confidential information as a sacred trust that governs many of our decisions involving people, equipment and processes.  This is something we value as an organization from top to the bottom.


(by Rob Raroque MTM)