Early Observations

Now that the HIPAA Security Rule has been in effect for almost a month, I have had the opportunity to see how well agencies are actually implementing the rule. It's a mixed bag but here are a few things to think about.

1. If a workstation or laptop containing EPHI is seriously infected with Spyware or a Virus, it is considered a Security Incident and must be logged in your Security Incident Log. (See the 12/21/04 post on this blog).

2. If a workstation or laptop containing EPHI is lost in a fire or some other type of accident it is a Security Incident and must be logged in your Security Incident Log and must be documented in your Equipment Disposal Log. The same is true if the device is stolen. Other steps may need to be taken as well such as changing passwords, notifying authorities, etc.

3. If servers, workstations, laptops, or other devices containing EPHI are showing errors in their Security Event Logs, this may be a Security Incident and must be logged in your Security Incident Log.

The Risk assessment requirement of the Security Rule should have produced a list of all devices that contain EPHI. This list is very useful for determining which of the above incidents may or may not need to be logged.

Each of these types of incidents has occurred in the last month to our some of our Clients. In each case I'm not sure that HIPAA Security compliance popped up the way it should have. We have all spent a lot of time creating policies and procedures to meet the requirements of the Rule. Let's make sure that we practice what we defined.

Documentation Requirements

The HIPAA Security Rule includes several required tasks regarding documentation of your HIPAA Security Rule policies and procedures. The requirement is that agencies maintain the policies and procedures implemented to comply with the Security Rule in written and/or electronic form and if an action, activity, or assessment is required to be documented, it is to be done so in written or electronic format.

There are 3 requirements for your documentation;

• Retain the documentation required for 6 years from the date of its creation or the date when it was last in effect, whichever is later.
• Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
• Review documentation periodically, and update as needed in response to environmental or operational changes affecting the security of EPHI.

That's it! We're done! You deserve a gold star if you've gotten this far. More importantly, if you've met all of these requirements your agency is HIPAA Security Rule compliant. Congratulations!

I will continue to use this Blog to answer HIPAA related questions and distribute any new related information. I hope this Blog has been useful in making your agency compliant with the HIPAA Security Rule.

Encryption

The last item under the Transmission Security task of the Technical Section is Encryption. This is an addressable item that requires that agencies implement a mechanism to encrypt EPHI whenever deemed appropriate.

Unfortunately, there is no guideline given for the type of encryption to use. In order to use encryption both the sender and receiver must agree upon an encryption method and share parts of the encryption keys. This process would only come into play when transmitting EPHI. For the most part agencies are tied to the methods of transmission required by Medicare, Medicaid, etc. If you are transmitting EPHI to other locations you may need to develop an encryption mechanism.

This is the last item in the HIPAA Security Rule. My next post will detail some documentation requirements that fall outside of the Administrative, Physical, and Technical sections of the rule.

Integrity Controls

The next Technical Section task is Integrity Controls. It is an addressable task that requires agencies implement security measures to insure that electronically transmitted EPHI is not improperly modified without detection until disposed.

All communications programs provide some type of Integrity Controls. For most agencies this task will be satisfied by those programs. If you have developed any unique communications mechanisms you must evaluate this task more in depth.