Jeffrey I. Ziplow, MBA, CISA, CGEIT
A little over a year has passed since modifications to the HIPAA privacy, security, enforcement and breach notification rules under the HITECH Act were announced. Although the earliest impact of these rules was scheduled for March 26, 2013, all HIPAA-related documents and contracts must be in compliance with the new rules no later than September 22, 2014. The 138-page document outlines a few key points. The Federal Department of Health and Human Services is: expanding HIPAA compliance to Business Associates and their subcontractors; identifying personal health information (PHI) breach notification rules; and adopting changes to HIPAA and the HITECH Act relative to enforcement rules and penalty structure(s). Cutting through all of this, however, is the need to re-evaluate the security and controls around access to, possession of, creation of and/or transmission of Personal Health Information (PHI).
New HIPAA Regulations
It sounds simple. Just keep on doing what we have been doing in past years. This may sound good, but it may also get you in trouble. These new rules incorporate “new teeth”, including increased penalties for non-compliance (based on the level of negligence) with a maximum penalty of $1.5 million per violation.
Outlined below are some ideas for strengthening the security and controls around PHI:
When was the last time someone reviewed, evaluated or performed a risk assessment regarding where PHI was being stored? The easy answer is that it is stored in the inpatient/outpatient system(s). Is that the only place PHI is stored? What about word processing or spreadsheet documents? What about email? What about the financial management system? What about laptops? What about cell phones? What about those small removable hard drives (thumb drives) that can get easily lost? Now consider who has or could gain access to this PHI. Performing an annual risk assessment can help answer these types of questions and will help mitigate HIPAA risks.
Whenever possible, if PHI is being accessed or stored in a database or elsewhere (in motion or at rest), it should be encrypted. If PHI is on a laptop, encrypt it. If it is stored on a removable drive, encrypt it. If it is in an email, encrypt it (or don’t send it). Encryption is your friend and, more importantly, it can significantly protect PHI.
When was the last time the organization’s policies, procedures and protocols related to HIPAA compliance were reviewed? Do the current policies still make sense or do they need to be updated to include new changes/practices with the organization’s security procedures? Has a Bring Your Own Device (BYOD) policy been established to secure how cell phones and/or tablets from home can be used on the secure network (or not)? Does every Business Associate have a recently signed agreement (needed no later than September 22, 2014)? Does the Business Associate, in turn, use a subcontractor and does he/she have a signed agreement? Has someone been designated as the Information System Security Officer and do they fully understand/appreciate their role? Of course it is only documentation, but every organization needs to practice what they preach and follow through on their HIPAA responsibilities. As part of this effort, providing clear communications of policies/protocols to employees and vendors is an important part of a good HIPAA compliance program.
When was the last time the IT Department reviewed a list of personnel terminations from Human Resources and compared this information to active network users to identify any “phantom” users that could access the organization’s systems? This can be a serious security risk. Depending on the cause of termination, a disgruntled employee may want to teach the organization a lesson or two and potentially access and exploit confidential PHI. Initially, on a quarterly basis, ensure there are no phantom users who could expose any PHI. Along these lines, make sure users are not sharing user IDs and passwords. Each user should be responsible for protecting his/her network identity along with protecting access to PHI information. Sharing IDs and passwords can negatively impact securing PHI.
When was the last time the IT Department confirmed that all security patches for the various servers, computers and applications within your organization were up-to-date? Based on some recent significant exploits, hackers are taking advantage of systems in which security patches have not been applied. In fact, hackers have access to a wealth of information relative to these exploits…they are available on the Internet. These “holes” could expose an organization to significant risk by allowing an intruder access (directly or indirectly) to PHI. Being vigilant and keeping up with all security patches is the simple answer.
- When was the last time the organization’s password policy was evaluated? Are complex passwords used? How frequently are passwords changed? Can someone continue to use the same password repeatedly? What happens after multiple unsuccessful login attempts? How these questions are answered will help determine the level of security within an organization. Be practical! Forcing users to change their password every 15 to 30 days may not be appropriate and cause more problems. Implementing strong/complex passwords (a combination of letters, numbers, capital letters and special characters) can significantly help to secure PHI. This, along with locking out a person after a minimum number (5) of unsuccessful login attempts, will expose security violations and help to prevent inappropriate PHI access.
Implementing and maintaining good security practices is an essential part of HIPAA compliance. Organizations need to constantly challenge and tests the risks and exposure to their network with the hope of securing and/or minimizing access to PHI. Investing time on a regular basis (monthly–quarterly) to evaluate potential risks and mitigating any potential security concerns can help assure compliance with HIPAA HITECH enforcement rules and eliminate the risk of associated significant penalties.
For more information about HIPAA compliance, please contact Jeff Ziplow at firstname.lastname@example.org .