The First Step to HIPAA Security (That You May Be Missing)
/If you're reading any of our blogs, you're obviously interested in HIPAA Security. Maybe you are just keeping on top of things or maybe you're getting started in the world of HIPAA Security and are looking for a starting line. No matter your situation, there is one overall question you can ask yourself and then use that as a starting point to evaluate your current situation. The Question?
"Do you know where all the ePHI exists on in your office/practice? And is it secure and recoverable?"
Ok, ok…technically that is 2 questions, but they go together! The reason this is such a good place to start is that often times, Security officers will begin with things like network security, firewalls, password policies or teammate training. While those are all good things and they will need to be done at some point, the first thing to determine is WHAT do you need to secure and then how to secure it.
A good example of how many covered entities get off on the wrong foot is when they go to their IT vendor or department and tell them 'we need to be HIPAA Compliant…make it so'. Well, this isn't how it works. Not only can you not outsource your compliance to an IT firm, but you are assuming that your ePHI security is a technical issue (see our previous blog "Why HIPAA Security is NOT about Technology").
The first thing you HAVE to do is determine where ePHI exists in your offices. Let's take a look at some of the obvious ones…and a few not so obvious:
- Your EHR Software Servers (Are they in your office or hosted in the cloud?)
- Tablets/Laptops. Do they have ePHI data on them and are you physically securing them when not in use?
- What about your server backups? Are they on tape or disk and are those physically secure? Do you have offsite copies?
- FaxServers. Even if your EHR is hosted somewhere else, if you have a local faxserver, ePHI might be at risk there as well.
- Copiers. Many people don't know that most office copiers today have a hard drive in them. So, every item that is copied or printed to that copier has an image on that hard drive. So, that needs to be secured and dealt with when your lease is up!
- Any media that you use in your office. CD's, DVD's, USB drives, etc. Any form of electronic storage that has ePHI has to be tracked and logged.
The key to identifying all of the places you store ePHI is to inventory your infrastructure. THIS is where your IT Vender will be a great asset. Work with them to be sure you have gone over your entire setup and found all possible places that ePHI could be stored, created, transmitted or accessed. Then be sure you have policies in place to secure that data from outsiders AND secure it from data loss (backups).
You can read more about how to go about this from the HHS's document "Guidance on Risk Analysis Requirements under the HIPAA Security Rule". It can be found on our Resources page HERE.
Stay with us! We want to help dispel the myths! Checkout our blog (updated at least twice a week). Follow us on Facebook/LinkedIn/Twitter for more updates like these!
Jeff Franks is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions. HIPAA FLIGHTPLAN provides centralized documentation of your HIPAA Security Rule compliance program. HIPAA TIPS delivers Security Awareness training to your entire staff, every month, without impacting your daily operations
