HIPAA compliance checklist for ApexSQL Audit

The Health Insurance Portability and Accountability Act (HIPAA) is a regulatory standard enacted by the US Congress to protect and safeguard healthcare information.

As defined by Wikipedia

“The Health Insurance Portability and Accountability Act of 1996 (HIPAAPub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the KennedyKassebaum Act or Kassebaum-Kennedy Act after two of its leading sponsors.[1][2] Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.[3]

The following table describes the HIPAA requirements that concern SQL Server database administrators and describes whether, how, and to what extent ApexSQL Audit can help an organization fulfill these requirements

HIPAA Requirement

ApexSQL Audit

§ 164.308: Administrative Safeguards

§ 164.308 (a)(1)(iSecurity management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

Supports Centralized consolidation Archival or audit trials, using predefined and custom-built reports covering all major types of activities Full oversight of who changed, what, where and when. Complete auditing of data transfer, access, and changes. Also audit of system access and configuration changes.

§164.308(a)(1)(ii)(D) Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Supports – ApexSQL Audit comprises real-time information and reporting of all activities performed on the server/database level, including what individual performed each action.

§164.308(a)(3)(ii)(B) Termination procedures: Ensure access of PHI records is appropriate

Supports– ApexSQL Audit real-time auditing ensures that alerts and reports can tell precisely the activities that are performed by each individual. Suspicious or unauthorized behavior can trigger alerts in real time

§164.308(a)(3)(ii)(C) Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends. 

Partially supports – ApexSQL Audit will audit all disabled accounts. It can ensure via alerting and reporting that all access rights to all or part of the data or databases are removed as required

§164.308 (a)(4)(i) Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

Partially supports – ApexSQL Audit comprises real-time information, reporting and alerting of all permission changes for immediate detection and notification of unauthorized changes to user rights, logins and security access

§164.308 (a)(4)(ii)(A) Isolating health care clearinghouse functions. If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

Supports – Comprehensive auditing and reporting for all types of login/user privileges, access rights, privileges, and access policies to detect security violations.

§164.308(a)(4)(ii)(C) Access establishment and modification. Implement policies and procedures that, based upon the covered entity’s or the business associate’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process

§164.308(a)(5)(ii)(C) Log-in monitoring. Procedures for monitoring log-in attempts and reporting discrepancies. 

Supports – ApexSQL Audit monitors in real-time all access and attempted to access, whether by individuals or by other systems, with ability to trigger alerts and inform the personnel in charge immediately.

§164.308(a)(5)(ii)(D) Password management. Procedures for creating, changing, and safeguarding passwords

§164.308(a)(6)(i) Security incident procedures. Implement policies and procedures to address security incidents

Supports – Allows users to periodically and frequently review control procedures as part of automated audits and reports procedures to regularly review audit trails to identify and mitigate security incidents as they occur.

§164.308(a)(6)(ii) Response and reporting. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes

Supports – Comprehensive audits of all user activities with comprehensive reporting, and real time alerts allows proactive detection of HIPAA violations

§164.308(a)(7)(ii)(B) Disaster recovery plan. Establish (and implement as needed) procedures to restore any loss of data.

Supports – Investigate audit trail with changes including before/after values.

With the use of ApexSQL Log (another product in ApexSQL DBA), before and after changes can be viewed and processed for immediate data recovery. Unauthorized, malicious, and or accidental changes can be rolled back and deleted/truncated/changes data can be recovered and dropped objects can be restored

§164.312(a)(2)(iUnique user identification. Assign a unique name and/or number for identifying and tracking user identity.

Supports – Complete auditing of user accounts and logons to analyze violations and prevent usage of the same ID by multiple persons (e.g. from different computers)

§164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information

Supports – Comprehensive audits for all database activity is presented in detailed reports. Real time configurable alerts are available.

§164.312(c)  Ensure data integrity by preventing inappropriate altering or deleting of data

Supports – Centralized collection, archiving, and consolidation of all data. ApexSQL Audit doesn’t prevent audit data alteration but makes such attempts to tamper fully evident

§164.312(d) Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. 

Does not Support

§164.316(b)(1)(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

Supports – Full auditing of who, what, and where. Comprehensive reports and real, time configurable alerts are available for HIPAA compliance feedback. All data is archived in a central repository database.

§164.316(b)(2)(iTime limit. Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

§164.316(b)(2)(ii) Availability. Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

Supports – Records can be archived for an unlimited amount of time, to allow a complete, historical audit trail to be created, at any point in time

§164.528(a) Right to an accounting of disclosures of protected health information. (1) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested

Useful links:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf