February 09, 2016

Getting Started With The HIPAA Security Rule

February 09, 2016/ Phil Cooper

So…you're looking at the HIPAA Security Rule and thinking, "This has been around since 2005!?". Yep, it sure has. It just hasn't been enforced until recently (you can thank ARRA & HITECH for that). But don't fret, you can do this. You should do this…in fact, it's actually pretty good stuff.

If you previously thought the HIPAA Security Rule was just making sure you have network passwords, antivirus, a decent data backup and doing something called a "risk analysis", but are now coming to realize that it's a pretty significant component of HIPAA, then welcome aboard friend. It doesn't get better until you grab the bull by the horns. So grab a pair of gloves, cowboy, and let's get started!

January 21, 2016

OCR Just Keeps Pounding Risk Analysis

January 21, 2016/ Phil Cooper

The most recent resolution agreement from HHS highlights, yet again, the need for excellent documentation and follow through on a genuine risk analysis. In case you haven't noticed, or haven't been reading the resolution agreements, HHS/OCR is making a point in almost every one of these reports: PERFORM YOUR RISK ANALYSIS (and follow through with addressing your risks).

Here's an excerpt from the opening of the resolution agreement involving the University of Washington Medicine:

"UW Medicine failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically it has failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.308(a)(1)(i))." [emphasis mine]

But it needs to be a real risk analysis. Not some half-hearted effort, but a genuine analysis of your environment that starts with a discovery of everywhere ePHI may live or move in your organization and an inventory of the assets that use, store or transmit ePHI. Folks, it's not that hard, but it does take an intentional effort and some time and resources. Once you know where all of your ePHI is located, then you can begin to take each ePHI scenario and inspect the things that make it vulnerable and the threats (human, environmental, and natural) that could take advantage of those vulnerabilities. Then, it's just a matter of determining the likelihood that each risk would actually happen and what the impact would be if it did. If you're using the NIST model for risk analysis (see NIST 800-30), then this culminates in a simple rating matrix. Of course, you want to preserve notes on how you decided on each rating. Voila! Now you have a risk analysis report.

That's a great start, but you're not done. You've only identified the risks that threaten your ePHI. Now, you must move into risk management and develop a plan to address each one. That doesn't mean you have to mitigate every risk on your report in the next week, but you need to have a plan and a schedule for getting to each one in a reasonable amount of time.

Linda Sanches from the Office of Civil Rights said, "It's not about if you will have a breach, it's when. [Our] Enforcement is not about breaches, it's about whether or not you've done what you should have done to prevent it or mitigate the likelihood and impact in case it did." She's talking about using the risk analysis to figure out how your ePHI is at risk and using a risk management process to address each risk in a way that either eliminates the risk, or reduces the likelihood or impact to a level low enough that it is acceptable.

Performing a risk analysis, following up with risk management, having the documentation to prove your due diligence, and reviewing your risks periodically is paramount to having sincere Security Rule compliance. If you haven't performed a real risk analysis, put it at the top of your priority list. If you need help, get help, but do it. Soon.

If you would like to read the resolution agreement and corrective action plan for the University of Washington Medicine, you can download it here: UW Medicine RA & CAP

February 11, 2014

The ONE Thing Most Covered Entities Are Missing About HIPAA

February 11, 2014/ Jeff Franks

We seem to be overrun with rules and regulations these days. To open a medical office requires understanding of things like HIPAA, Medicare/Medicaid regulations, OSHA, Tax regulations, HR Documentation/policies and even how to run a business, to name a few. The idea of adding to that list of 'things to do' can be overwhelming. But, unfortunately, there is at least one thing that you may not be doing today, that you must; HIPAA Security. Now, I know what you're thinking….

'My IT company handles that' or

'I have a good firewall, so I'm good' or even

'I did my HIPAA Security when I attested for Meaningful Use'.

There is a problem with all of those statements: they're wrong. The dark truth that most vendors aren't telling you is that HIPAA Security is now part of your world and will be something you have to work with on a daily basis until you retire or leave the medical profession. There is no silver bullet or magic product to get it off your plate.

Now, I know that sounds like a big statement…and it is. But what we've found a lot of people don't understand is that there is no certificate for being 'HIPAA Compliant' or that no piece of equipment or consultant can make you 'HIPAA Compliant'. HIPAA Security is a walk, not a place. You HAVE to deal with it in your office daily.

Go back and read some of our previous blogs about why this is the case. See how HIPAA Security is NOT about your Technology or check out The Business Case for HIPAA Security. We've spent a lot of time talking about 'HOW' to be compliant with the Security Rule, but we still have trouble getting through with the 'WHY'.

The 'WHY' of HIPAA Security is simply this...ready for it?...Are you sitting down?....

HIPAA Security is the best thing you can do for your practice and your patients.

Really...it is. The recent issues with Network Security and personal information that we've seen with several national retailers should help sell this idea. The 'hackers' of the 80's and 90's are gone. Those guys were interested in vandalizing your network. The new breed of hacker now wants your information. They steal it, sell it and use it to make money...lots of it.

Just like computers are now a part of our lives, professionally and personally, so should the HIPAA Security Rule. Why? Because those same computers can be responsible for allowing information about you, your practice and your patients to fall into the wrong hands. And that can lead to HUGE liabilities and lawsuits for everyone involved!

The point is, we all hate rules that make no sense to us. And when it comes to HIPAA Security, we often don't understand WHY we should have to do all those things the government wants us to do. But the reality is that whether you completely understand it or not, you HAVE to start working toward the goal of continual compliance. HIPAA Security is here to stay. If you are in this industry, you will deal with this issue every day of your career. If you're not taking the HIPAA Security rule seriously, if you've not documented ALL your policies, if you've not even read the Security rule...then there is no way you're 'HIPAA Compliant' no matter what your Firewall Vendor told you.

While it may be time consuming and even a bit overwhelming, securing your patient health information (and documenting it!) is one of the most important things a medical practice in 2014 HAS to do.

Jeff Franks is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions. HIPAA FLIGHTPLAN provides centralized documentation of your HIPAA Security Rule compliance program. HIPAA TIPS delivers Security Awareness training to your entire staff, every month, without impacting your daily operations

December 09, 2013

Why your Firewall isn't 'HIPAA Compliant'

December 09, 2013/ Jeff Franks

As we've mentioned in previous articles, there are tons of misconceptions out there on what it means to be 'HIPAA Compliant'. In fact, the main reason we publish this blog is simply to help our clients understand more about what they really need to focus on and what they are 'missing' in the grand scope of HIPAA Security Compliance.

I don't want to sound redundant with this post, but recently I've ran into a couple vendors who told me they were selling 'HIPAA Compliant firewalls that will make your clients HIPAA Ready'. Now, many of you know exactly what's wrong with that statement. But for those of you who don’t, let me explain. HIPAA Compliance has very little to do with the actual hardware in your network. To be honest, a $500 firewall will likely be just as 'compliant' as a $5000 one (in terms of HIPAA's requirements).

The problem is that many vendors sell their products as 'HIPAA Compliant' and then many sales people don't understand what that means. A piece of hardware that is sold as 'HIPAA Compliant' simply means that the hardware CAN do the job needed to help you with your compliance. But unlike what the salesperson might tell you, no piece of hardware will MAKE you compliant.

As we've discussed (see 4 Reasons Why You May Be Missing the Point with HIPAA Security), HIPAA Security Compliance is a process that you'll never complete. It requires decisions, documentation and then implementation of policies that YOU decide on. So, yes, you may have the best firewall on the market, but if that firewall is not configured to match you documented policies, you're no more 'HIPAA Compliant' than if you'd done nothing at all!

Understand what 'HIPAA Compliant' hardware and equipment is. It just means that it is CAPABLE of doing what you need it to do to help with your compliance. But without your decisions on policies and the documentation to back it up, it's no better than any other hardware that’s out there. If you don't understand anything else about HIPAA Security Compliance, know this!

So the next time you're at a trade show and a vendor talks to you about how their hardware/software/whatever can make you 'HIPAA Compliant', you can snicker a little and then educate them on why that’s not the case.

Stay with us! We want to help dispel the myths! Checkout our blog (updated at least twice a week). Follow us onFacebook/LinkedIn/Twitter for more updates like these!

December 02, 2013

The First Step to HIPAA Security (That You May Be Missing)

December 02, 2013/ Jeff Franks

If you're reading any of our blogs, you're obviously interested in HIPAA Security. Maybe you are just keeping on top of things or maybe you're getting started in the world of HIPAA Security and are looking for a starting line. No matter your situation, there is one overall question you can ask yourself and then use that as a starting point to evaluate your current situation. The Question?

"Do you know where all the ePHI exists on in your office/practice? And is it secure and recoverable?"

Ok, ok…technically that is 2 questions, but they go together! The reason this is such a good place to start is that often times, Security officers will begin with things like network security, firewalls, password policies or teammate training. While those are all good things and they will need to be done at some point, the first thing to determine is WHAT do you need to secure and then how to secure it.

A good example of how many covered entities get off on the wrong foot is when they go to their IT vendor or department and tell them 'we need to be HIPAA Compliant…make it so'. Well, this isn't how it works. Not only can you not outsource your compliance to an IT firm, but you are assuming that your ePHI security is a technical issue (see our previous blog "Why HIPAA Security is NOT about Technology").

The first thing you HAVE to do is determine where ePHI exists in your offices. Let's take a look at some of the obvious ones…and a few not so obvious:

Your EHR Software Servers (Are they in your office or hosted in the cloud?)
Tablets/Laptops. Do they have ePHI data on them and are you physically securing them when not in use?
What about your server backups? Are they on tape or disk and are those physically secure? Do you have offsite copies?
FaxServers. Even if your EHR is hosted somewhere else, if you have a local faxserver, ePHI might be at risk there as well.
Copiers. Many people don't know that most office copiers today have a hard drive in them. So, every item that is copied or printed to that copier has an image on that hard drive. So, that needs to be secured and dealt with when your lease is up!
Any media that you use in your office. CD's, DVD's, USB drives, etc. Any form of electronic storage that has ePHI has to be tracked and logged.

The key to identifying all of the places you store ePHI is to inventory your infrastructure. THIS is where your IT Vender will be a great asset. Work with them to be sure you have gone over your entire setup and found all possible places that ePHI could be stored, created, transmitted or accessed. Then be sure you have policies in place to secure that data from outsiders AND secure it from data loss (backups).

You can read more about how to go about this from the HHS's document "Guidance on Risk Analysis Requirements under the HIPAA Security Rule". It can be found on our Resources page HERE.

Stay with us! We want to help dispel the myths! Checkout our blog (updated at least twice a week). Follow us on Facebook/LinkedIn/Twitter for more updates like these!