HIPAA Compliance

Government Agency

HIPAA, the American Health Insurance Portability and Accountability Act, as amended by the Final Rule and the HITECH Act provisions of 2009 is a set of rules to be followed by doctors, hospitals, and also employers: “Health information means any information, … recorded in any form or medium, that … is created or received by a health care provider, health plan, public health authority, employer …”. “Protected Health Information” (PHI) includes name, birth date, SSN numbers, health insurance and many other identifying data elements tied to employer- sponsored health plans, most of which are customarily stored in SAP HR records. The duty of HIPAA privacy compliance and safeguards under Title II therefore extends to SAP records.

Business Situation

  • The government agency uses SAP solutions for most business processes including HR & Payroll
  • An information privacy violation had occurred prior to bioLock installation, where employees’ electronic protected health information (EPHI) was accessed by unauthorized parties
  • Risk of increased civil/criminal penalties

Key Challenges

  • HIPAA requires disclosure of any breaches of protected data. Employers are “covered entities” if they provide healthcare benefits to employees
  • SAP HR data is stored in “infotypes”, e.g. infotype 0167 (Health Plans), which have to be individually controlled to avoid unauthorized access
  • Both administrative and technical safeguards are required – standard passwords cannot provide the needed granular access control to SAP infotypes

Implementation Highlights

  • Created biometric credential profiles for users authorized to view/edit data defined as PHI under the Privacy Rule
  • Associated individual biometric user profiles with specific tasks in SAP HR
  • Enforced biometric re-authentication for every sensitive task
  • Implemented tamper-proof log-file trail for each protected transaction

Major Objectives

The following challenges were identified:

  • Comply with the Security Rule which requires technical safeguards (§164.304) “… the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

Implement Access Controls that allow:

  • Unique User Identification
  • Emergency Access Procedure
  • Automatic Logoff
  • Encryption and Decryption