Kimberly Shutters | HIPAA alli

Breaking Down the HIPAA Security Standards

Breaking Down the HIPAA Security Standards Today I am breaking down the HIPAA Security Rule, 45 CFR § 164.308, into byte-size portions to help you understand how they are significant to your organization. The HIPAA Security Rule establishes security standards for protecting all electronic protected health information (ePHI), 45 CFR Part 160 and Part 164, Subparts A and C. The HIPAA Security Standards provide a structure for healthcare regulated entities (health plans, clearinghouses, or covered health care providers) to develop and implement policies and procedures to guard against and react to security incidents. All healthcare regulated entities must comply with the applicable standards, implementation specifications, and requirements of the Security Rule with respect to electronic PHI, 45 C.F.R § 164.302. The Security Rule allows regulated entities of all sizes to implement reasonable and appropriate measures that enable them to comply with the Rule. The standards were designed to be scalable, flexible and technology neutral to allow regulated entities to comply in a manner consistent with the complexity of their organization. The rule does not specify any specific technology. This is intentional so the healthcare community will is not be bound by specific systems and/or software that may become obsolete. HIPAA Security Rule Basic Concepts First let me set the ground work to help you with the basic concepts that make up the security standards and implementation specifications. Each HIPAA Security Rule standard is a requirement: a regulated entity must comply with all of the standards of the Security Rule with respect to the electronic PHI it creates, receives, maintains, or transmits. Many of the standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach regulated entities can use to meet a particular standard. Regardless of whether a standard includes one or more implementation specifications, regulated entities must comply with each standard. Implementation specifications are either required or addressable. Here is a breakdown of each: Required is similar to a standard, in that a regulated entity must comply with it. For example, all regulated entities including small providers must conduct a complete and thorough “Risk Analysis,” 45 CFR § 164.308(a)(1). Addressable requires regulated entities to perform an assessment to determine if the specification is a reasonable and appropriate safeguard in their environment. After performing the assessment, a regulated entity decides if: It will implement the addressable implementation specification. Implement an equivalent alternative measure that allows the entity to comply with the standard. Or not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within their environment. Regulated entities are required to document assessments and all decisions. For example, all regulated entities including small providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment, 45 CFR § 164.312(a)(1). Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule. HIPAA Security Rule Main Sections The HIPAA Security Rule is divided into six main sections – each representing a set of standards and implementation specifications that must be addressed by all regulated entities. The Security Rule is divided into six main sections – each representing a set of standards and implementation specifications that must be addressed by all regulated entities. They are: Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures Documentation Each Security Rule standard is a requirement: all regulated entities must comply with all of the standards of the Security Rule with respect to the ePHI it create, receive, maintain, and/or transmit. Many of the standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach regulated entities can use to meet a particular standard. Implementation specifications are either required or addressable. Regardless of whether a standard includes one or more implementation specifications, all CEs and BAs must comply with each standard. Administrative Safeguards The Administrative Safeguards comprise over half of the HIPAA Security Rule. It establishes a national set of minimum security standards for protecting all ePHI that regulated entities create, receive, maintain, and/or transmit. The HIPAA Security Rule defines Administrative Safeguards as: “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the regulated entities workforce in relation to the protection of that information.” The Security Rule contains several types of safeguards and requirements which regulated entities must put in place to secure ePHI. When reviewing the Administrative Safeguards, they are generally identified as: administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations. Administrative Safeguards also involve the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information. In general, these are the administrative functions that should be implemented to meet the security standards. These include security management processes, assignment or delegation of security responsibilities to an individual, and workforce security training requirements. Physical Safeguards As with all the standards in the HIPAA Security Rule, compliance with the Physical Safeguards standards requires regulated entities to perform an evaluation of their security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each organization. The HIPAA Security Rule defines Physical Safeguards as: “Physical measures, policies, and procedures to protect a regulated entities electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” When evaluating and implementing these standards, regulated entities must consider all physical access to ePHI. This may extend outside of the actual office(s), and could include workforce members’ homes or other physical locations where they are able to access ePHI (i.e., mobile devices). In general, these are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They also include restricting access to ePHI and

HIPAA Security Management Process in 6 Steps

HIPAA Security / By Kimberly Shutters

HIPAA Security Management Process in 6 Steps Today I am breaking down the HIPAA Security Management Process, 45 § 164.308(a)(1), into byte-size portions to help you understand how they are significant to your organization. Before I can break down today’s topic, I first should set the stage. The HIPAA Security Rule, Administrative Safeguards provisions that requires regulated entities to perform a accurate and thorough risk analysis as part of their security management processes. Risk analysis and risk management serve as tools to assist in the development of a regulated entity’s strategy to protect the confidentiality, integrity, and availability of electronic protected health information (PHI). HIPAA Security Management Process Standards The first standard under Administrative Safeguards section is the Security Management Process. This standard requires regulated entities to: Implement policies and procedures to prevent, detect, contain and correct security violations. The HIPAA Security Management standard has four required implementation specifications. They are: Risk Analysis (Required) Risk Management (Required) Sanction Policy (Required) Information System Activity Review (Required) Risk analysis and risk management processes are critical to a regulated entity’s compliance efforts. The results from the risk analysis and risk management processes will become the baseline for security processes within regulated entity’s organization. Risk Analysis The Risk Analysis implementation specification, 45 § 164.308(a)(1)(ii)(A), requires regulated entities to: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the regulated entities. The scope of a risk analysis requirement in the HIPAA Security Rule is much more expansive. It requires you to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI that an organization creates, receives, maintains, or transmits. This includes ePHI in other electronic systems and all forms of electronic media, such as: Cell phones Hard drives Compact discs (CDs) Digital video discs (DVDs) Smart cards or other storage devices Transmission media Portable electronic media Any connected Internet of Things (IoT) devices Your risk analysis process is an opportunity to learn as much as possible about the health of your information security. Don’t ignore your need to be HIPAA compliant! Any device or media that contains PHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all! Risk Management Risk Management is a required implementation specification, 45 CFR § 164.308(a)(1)(ii)(B). It requires an organization to make decisions about how to address security risks and vulnerabilities. The Risk Management implementation specification states that regulated entities must: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 §164.306(a). Risk management is the process used to identify and implement security measures to reduce risks to a reasonable and appropriate level. Regulated entities will want to make sure their risk management strategy takes into account the characteristics of their environment includes these four factors: The size, complexity, and capabilities of the regulated entity. The regulated entity’s technical infrastructure, hardware, and software security capabilities. The costs of security measures. The probability and criticality of potential risks to electronic protected health information. These four factors will help them determine what potential security measures are reasonable and appropriate for the environment. NOTE: Regulated entities must ensure their risk analysis and risk management activities are on-going and dynamic processes that change as the environment or operations change. Sanction Policy Another implementation specification in the HIPAA Security Management Process is the Sanction Policy, 45 § 164.308(a)(1)(ii)(C). It requires regulated entities to: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the regulated entity. Appropriate sanctions must be in place so that workforce members understand the consequences of failing to comply with security policies and procedures, to deter non-compliance. Information System Activity Review The HIPAA Security Management Process standard also includes the Information System Activity Review implementation specification, 45 CFR § 164.308(a)(1)(ii)(D). This required implementation specification states that regulated entity must: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The information system activity review enables regulated entities to determine if any ePHI is used or disclosed in an inappropriate manner. Information system activity review procedures may be different for each regulated entity. The procedure should be customized to meet the organizations risk management strategy and take into account the capabilities of all information systems with ePHI. 6 Steps to HIPAA Security Management Process Now for the moment you’ve all be waiting for … Below are six steps to help you start: Lead your culture, select your team, and learn Document your process, findings, and actions Review existing security of ePHI (perform a Security Risk Analysis) Develop an Action Plan Manage and mitigate risks Monitor, audit, and update security on an ongoing basis Note: Performing the risk analysis in-house may require an upfront investment of your time and a staff member’s time to understand and address your security issues with respect to the HIPAA Security Rule.

Breaking Down the HIPAA Security Officer Requirement

HIPAA Security / By Kimberly Shutters

Breaking Down the HIPAA Security Officer Requirement Today I am breaking down the HIPAA Security Officer requirement, Assigned Security Responsibility 45 § 164.308(a)(2), into byte-size portions to help you understand how they are significant to your organization. Since 2005, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule has required regulated entities to identify who will be operationally responsible for assuring that the regulated entity complies with the Security Rule. This is similar to the Privacy Rule standard, 45 §164.530(a)(1), which requires all regulated entities designate a Privacy Officer. The HIPAA regulations state you must formally select a Privacy Officer and a Security Officer. In small organizations this can be the same person. The HIPAA Security Officer responsibilities are often assigned to an IT Manager due. This is due to the perception that integrity of ePHI is an IT issue. The HIPAA Security Rule is made of of three safeguards, they are: Administrative Safeguards Physical Safeguards Technical Safeguards Only 30% of the safeguards require technical expertise. That means smaller regulated entities could reduce their information systems costs by splitting the HIPAA Security Officer responsibilities. Just be sure to document your selection by department not who the activities is assigned to. This will allow authorized representatives of the department to perform the activity. HIPAA Security Officer Responsibilities The HIPAA Security Officer’s job description needs to outline the Officer’s responsibilities with regard to establishing and maintaining HIPAA compliant mechanisms for ensuring the confidentiality, integrity and accessibility of the CE´s or BA’s healthcare information systems and any PHI. These responsibilities will vary according to the nature and size of the organization, but should include: Performing an enterprise wide risk analysis of the company’s information systems. Developing and implementing policies and procedures to prevent, detect, contain and correct security violations. Regularly reviews audit logs, access reports, and security incident tracking reports. Developing and implementing policies and procedures to ensure only appropriate company workforce members have access to PHI. Implements a security awareness and training program for ALL workforce personnel, volunteers, management including doctors. Regularly monitor attempts by unauthorized persons to log on to the company’s information systems. Implements procedures to guard against and detect viruses, worms, and other malicious code. Develop and implement policies and procedures to respond to security incidents. Develops contingency plans to respond to emergencies. Performs periodic technical and nontechnical reviews of the company’s information security program. Evaluates reported incidents as potential breaches of unsecured ePHI. Something to Ponder … When designating the HIPAA Security Officer regulated entities should consider some of the following sample questions: Does it serve the organization’s needs to designate the same individual as both the Privacy and Security Officer (for example, in a small provider’s office)? How are the roles and responsibilities of the Security Officer crafted to reflect the size, complexity and technical capabilities of the organization?

Business Associate Breach

Healthcare Breach / By Kimberly Shutters

Today, I am presenting a case study on the chain of events after a Business Associate breach of electronic protected health information (ePHI). Business Associates (BAs) YOU may be directly liable for violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Breach Notification Rule as well as certain provisions of the Privacy Rule after experiencing such a breach. Liability may attach to BAs, even in situations in which the BA has not entered into the required Business Associate Agreement with the Covered Entity (CE). Breach History: On September 29, 2011, MAPFRE Life Insurance Company of Puerto Rico filed a breach report with Office oToday, I am presenting a case study on the chain of events after a Business Associate (BA) experienced a breach of electronic protected health information (ePHI). Civil Rights (OCR) after a USB data storage device was stolen from their IT department, affecting 2,209 patients. What OCR Found During Their Breach Investigation: OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014 (approximately three years later). AND MAPFRE Life was found out-of-compliance in the following areas: Impermissible disclosures of PHI Failure to conduct a thorough risk analysis and implement security measures Failure to provide a security awareness and training program for all members of its workforce, including management Failure to implement encryption technologies for PHI Failure to implement appropriate policies and procedures to company with the HIPAA Security Rule HIPAA Enforcement On January 11, 2017, Health and Human Services (HHS) agreed to accept, and MAPFRE Life agreed to pay $2,204,182.00 settlement (Resolution Amount) AND MAPFRE Life was required to enter into a six year Corrective Action Plan (CAP) with OCR. Lessons Learned Don’t ignore YOUR need to be HIPAA compliant! Any device or media that has PHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all! Covered Entities and Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? JOIN US!! Join HIPAA alli for our live webinar where we provide valuable information on a range of HIPAA compliance related topics and allow attendees to gain insider insight and learn industry best practices.

Breaking Down Threats, Vulnerabilities, and Risks

HIPAA Security / By Kimberly Shutters

Breaking Down Threats, Vulnerabilities, and Risks Today I am breaking down threats, vulnerabilities, and risks into byte-size portions to help you understand how they are significant to your organization. Before I can break down today’s topic, I first should set the stage. Setting the Stage for Threats, Vulnerabilities, and Risks The Security Management Process, 45 § 164.308, requires regulated entities to evaluate threats, vulnerabilities and risks in their environments and to implement policies and procedures to prevent, detect, contain, and correct security violations. Regulated entities should be familiar with these three terms and the relationship between them: Vulnerability Threat Risk Note: These terms are not specifically defined in the HIPAA Security Rule. The definitions in this paper are provided to put the Risk Analysis and Risk Management discussion in context. Threat, Vulnerability, and Risk Definitions Threats The Guidance for Conducting Risk Assessment by the National Institute of Science and Technology (NIST), NIST 800-30, defines a threat as: Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. Threat events are caused by threat sources. A threat source is characterized as: (i) the intent and method targeted at the exploitation of a vulnerability; or (ii) a situation and method that may accidentally exploit a vulnerability. In general, types of threat sources include: Hostile cyber or physical attacks Human errors of omission or commission; Structural failures of organization-controlled resources (e.g., hardware, software, environmental controls); and Natural and man-made disasters, accidents, and failures beyond the control of the organization. Vulnerability The Guidance for Conducting Risk Assessment by the National Institute of Science and Technology (NIST), NIST 800-30, defines a vulnerability as: A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as an inappropriate use or disclosure of electronic protected health information (ePHI). Vulnerabilities may be grouped into two general categories, technical and non-technical. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems. Remember: A vulnerability triggered or exploited by a threat equals a risk. Vulnerabilities can also be found in external relationships such as: Dependencies on particular energy sources Supply chains Information technologies Telecommunications providers Poorly defined mission/business processes Poor enterprise/information security architecture decisions Risks The Guidance for Conducting Risk Assessment by the National Institute of Science and Technology (NIST), NIST 800-30, defines a risk as: A measure of the extent to an entity is threatened by a potential circumstance or event, and typically a function of: The adverse impacts that would arise if the circumstance or event occurs; and The likelihood of occurrence. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization. Remember: A vulnerability triggered or exploited by a threat equals a risk. Something to Ponder … Here are four questions for you to ponder. Does your organization addresses the following: Does your organization have a resource dedicated Compliance Officer responsible for enforcing and maintaining HIPAA Privacy and Security policies? What are your policies for data segregation and encryption? Have you applied all applicable security patches? Does your employees and third-party vendors training include security best practices?

How To Identify Your HIPAA Risk Analysis Scope

HIPAA Security / By Kimberly Shutters

The HIPAA Security Rule adopts national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is created, received, maintained, or transmitted by a Covered Entity (CE) or Business Associate (BA). As a CE or BA, you are required to have in place reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the confidentiality, integrity and availability of the ePHI you are entrusted with. Confidentiality: ePHI is not available or disclosed to unauthorized people Integrity: ePHI is not altered or destroyed in an unauthorized manner Availability: ePHI is accessible and usable on demand by authorized persons CEs, BAs and their subcontractors of ALL sizes or complexities MUST conduct and document a comprehensive enterprise-wise risk analysis of their computer and other information systems used to create, receive, maintain, or transmit ePHI to identify potential risks and respond accordingly; 45 CFR §164.308(a)(1). Yes, this means you too solo practitioner & solo BA! Some of you may be solo practitioners in single physician’s offices. Others of you work in clinics, and others of you work in large healthcare organization or even hospitals; the rule will operate differently in each of these environments. For that reason, the rule does NOT prescribe ANY particular technology, technique, or practice for performing the required risk analysis. The HIPAA Security Rule is designed to be scalable and flexible. What does heck does that mean? There are many ways of performing a risk analysis. There are certain key elements of the risk analysis process; the first thing is to identify your HIPAA Security Risk Analysis scope. Compliance is different for each organization and no single strategy will serve every CE or BA. There are many ways of performing a risk analysis. However, determining the scope of your risk analysis should be the very first thing completed, otherwise how will you know which elements are completed and which ones have yet to be done? Scope involves getting information required to start a project, and the features the project would need to meet its stakeholder’s requirements.* Your HIPAA Security Risk Analysis should encompass the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all the ePHI your organization creates, receives, maintains, or transmits. This includes ePHI on all kinds of electronic media, not just PCs and servers. In simple terms, this includes performing a risk analysis; including ALL devices which may contain ePHI, implementing reasonable and appropriate security measures; and documenting and maintaining policies, procedures and other required documentation. Compliance is not a one-time goal, but an ongoing process. Your risk analysis is part of an ongoing process to provide YOU with a detailed understanding of the potential risks to the confidentiality, integrity, and availability of your patients’ information. Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today! * Source: https://en.wikipedia.org/wiki/Scope_(project_management)

Ransomware: What is it & What to do about it?

HIPAA Security / By Kimberly Shutters

What is ransomware? Ransomware is a type of malicious software, known as malware, designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. How to detect if your computer systems are infected? Unless ransomware is detected and propagation halted by your malicious software protection or other security measures, you would typically be alerted to the presence of ransomware only after the ransomware has encrypted the user’s data and alerted the user to its presence to demand payment. HIPAA requires Covered Entity’s (CEs) and Business Associates (BA’s) workforce receive suitable security training, this includes detecting and reporting instances of malicious software. Indicators of an attack could include: • A user’s realization that a link they clicked on, a file attachment opened, or a website visited may have been malicious in nature • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (example: ransomware searching for, encrypting and removing data files) • An inability to access certain files as the ransomware encrypts, deletes and re-names and/or re-locates data • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT workforce member via an intrusion detection or similar solution) If you believe you’re under a ransomware attack you should immediately activate your security incident response plan. Ensure your plan includes measures to isolate the infected computer systems in order to halt further propagation of the attack. Additionally, it is recommended that if you’re infected with ransomware contact their local FBI or United States Secret Service field office. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cyber crime. What to do if your computer systems are infected? The presence of ransomware (or any malware) on a CE’s or BA’s computer system is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. See the definition of security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the CE or BA must initiate their security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6). HIPAA CE’s and BA’s are required to develop and implement security incident procedures and response and reporting processes that they believe are reasonable and appropriate to respond to malware and other security incidents, including ransomware attacks. An entity’s security incident response activities should begin with an initial analysis to: • Determine the scope of the incident to identify what networks, systems, or applications are affected • Determine the origination of the incident (who/what/where/when) • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment • Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited) These initial steps should assist the entity in prioritizing subsequent incident response activities and serve as a foundation for conducting a deeper analysis of the incident and its impact. Subsequent security incident response activities should include steps to: • Contain the impact and propagation of the ransomware • Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation • Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations Part of a deeper analysis should involve assessing whether or not there was a breach of Protected Health Information (PHI) as a result of the security incident. The presence of ransomware (or any malware) is a security incident under HIPAA that may also result in an impermissible disclosure of PHI in violation of the Privacy Rule and a breach, depending on the facts and circumstances of the attack. See the definition of disclosure at 45 C.F.R. 160.103 and the definition of breach at 45 C.F.R. 164.402. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today! Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Keep Your Health Information Private & Secure

1 Comment / HIPAA Privacy / By Kimberly Shutters

Tips For Keeping Your Health Information Safe There are laws that protect the privacy of your health information held by those who provide you healthcare services. But as it becomes easier to get and share your own health information online, you need to take steps to protect it. Does HIPAA Protect All Health Information? No! The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules are federal laws that set national standards for protecting the privacy and security of health information. Health information that is kept by healthcare providers (referred to as Covered Entities [CEs] and their Business Associates [BAs]), health plans and organizations acting on their behalf is protected by these federal laws. However, you should know there are several organizations that do not have to follow these laws: • Patient owned or held information stored in a mobile app or on a mobile device, such as a smartphone or tablet. • Share over social media websites or health-related online communities, such as message boards. • Information stored in a personal health record (PHR) that is not offered through a CE or health plan covered by HIPAA. Keep Your Electronic Health Information Secure There are a number of ways you can help protect your electronic protected health information (ePHI). Here are some tips to ensure your PHI is private and secure when accessing it electronically. When Using Social Media Think carefully before you post anything on the Internet that you don’t want to be made public – do not assume that an online public forum is private or secure. If you decide to post health information on a social media platform, consider using the privacy setting to limit others’ access. Remember information posted on the web could remain there permanently. When Using Mobile Devices Research mobile apps – software programs that perform one or more specific functions – before you download and install any of them. Be sure to use known app websites or trusted sources. Read the terms of service and the privacy notice of the mobile app to verify that the app will perform only the functions you approve. Consider installing or using encryption software for your device. Encryption software is now widely available and increasingly affordable. Install and activate remote wiping and/or remote disabling on your mobile devices. The remote wipe feature allows you to permanently delete data stored on a lost or stolen mobile device. Remote disabling enables you to lock data stored on a lost or stolen mobile device, and unlock the data if the device is recovered. For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today!!

HIPAA Security Culture of Compliance

HIPAA Security / By Kimberly Shutters

Establishing Your Culture of Compliance Covered Entities (CEs) or Business Associates (BAs) must instill and support a security-minded organizational culture. What the heck does that mean, “Culture of Compliance”? Establishing a “culture of compliance” in your healthcare organization will require buy-in from leadership; without it ALL efforts to secure electronic protected health information (ePHI) will fail! All workforce members in the organization must subscribe to the shared vision of information security so habits and practices become automatic. As Leon Rodriguez, former Director, HHS Office for Civil Rights stated: A “ culture of compliance” means that everybody has to see themselves as responsible for the privacy and security of health information. You have talked about leadership … Employers need to make clear to their employees that this is something that they take seriously, including in their disciplinary policies and, of course, their training policies. It is something that really needs to flow down to ALL the employees who handle health information.” Here are three steps that must be taken: Education and training must be frequent and ongoing, recommend role based training for all workforce members. Those that manage and direct the work of others must set a good example and resist the temptation to indulge in exceptionalism. Accountability and taking responsibility for information security must be among the organization’s core values. Protecting patients through good information security practices should be as second nature to ALL healthcare organizations entrusted with ePHI. However, none of these measures can be effective unless the CE or BA is willing and able to: Implement them!! Don’t find out the hard way like many others, after a security incident. To enforce policies that requires these safeguards to be used. To effectively and proactively train ALL users so that they are sensitized to the importance of information security. This includes ransomware, phishing and other cybersecurity trends. Covered Entities and Business Associates your patients’ are entrusting you with their most private & intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to their risks? Each week, in “Know The Rules!” I describe HIPAA Security for Business Associates and offer ways to decrease the likelihood that patients’ ePHI will be exposed to unauthorized disclosure, alteration, and destruction or denial of access. Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Data Encryption

HIPAA Security / By Kimberly Shutters

What is encryption? Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. Is the use of encryption mandatory in the Security Rule? Answer: No The HIPAA Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after an enterprise-wise risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic protected health information (ePHI). If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the Covered Entity (CE) or Business Associates (BAs) may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. You need to decide whether and how to use encryption. Let’s talk for a second about what we mean by encryption. Encryption is a way of scrambling electronic information so that it is unreadable to someone who does not have the authority to read that information. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!