Integrity

The Integrity portion of the Technical Rule requires that agencies implement policies and procedures to protect EPHI from improper altercation or destruction.

All of the previous security tasks play a part in this portion of the rule. One of the goals of the Security Rule tasks is to insure integrity of your EPHI data. By implementing solutions to to other Security Rule tasks you are, for the most part meeting this task. There is one sub-task under Integrity that I will address in my next post.

Audit Controls

The next Technical Section Task is Audit Controls. Agencies must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI.

There are at least three items that come in to play here. First, Windows Server has a Security Event Log that can track successful and unsuccessful network login attempts. This log must be turned on if it is not already on and should be periodically checked for inappropriate activity. Next, your agency management software should have some type of auditing function available. You need to know how to use this auditing function and periodically check the logs for inappropriate use. Check with your software vendor on this. And last, your Internet Firewall may have some type of logging function that should be monitored. This log will best be monitored by someone like ourselves or whoever you use for IT support.

Encryption and Decryption

Encryption and Decryption is the next and last Access Contol task. This task requires agencies implement a mechanism to encrypt and decrypt EPHI. It is an addressable task.

This task requires that agencies look at and address the need for Encrytpion and Decryption for any electronic transfer of EPHI data. This can entail transmission to billing entities, email, and remote access by employees. Some of these items, like transmission to Medicaid or Medicare is not under your control. You must use the methods and/or software that they dictate. Email can be a big issue if you transfer any EPHI even if it is with your patient. The patient could probably sign a wavier indicating they realize that Internet email is not secure. Or you could create a policy stating that no EPHI should be sent via email. I suspect that this will get tougher as more patients elect to use email for some communications with their doctors.

No remote access to your location should be provided without a VPN (Virtual Private Network). A VPN by its nature encrypts and decrypts data that passes through it.

Automatic Logoff

The next Access Control task is Automatic Logoff. This is an addressable task that requires agencies implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

This is a relatively simple task, although it has its caveats. Simply put, if you leave your workstation for a period of time, the EPHI data must be made unavailable to unauthorized users. We suggest that you use the Windows Screen Saver timeout for this function. After a predetermined amount of inactivity the workstation's screensaver will come on, requiring the user's password to continue working. At the Windows level this will cover any application that is running. Some applications like Misys and McKesson have built in timeouts as well which will work just fine for that one application, but not any other EPHI type of application.

The amount of time before the inactivity timeout is triggered can be tricky. Setting it to 5 minutes is to short while setting it to 60 minutes is too long. Our Clients find 20 to 30 minutes seems reasonable.

You should also have a policy stating users need to logout when leaving their workstations for a period of time.

Emergency Access Procedure

The Emergency Access Procedure task of the Access Control section requires agencies establish and implement procedures for obtaining necessary EPHI during an emergency.

This could entail many items depending on the "emergency". If any one user has access to specific EPHI data, there must another way to access this data. A manger must have or be able to access or change the user password in order to access the data if the user is not available. Your network operating system and/or application software should allow for this. As this task is covering Access Control only it is not intended to include all of the items that should be found in your Disaster Recovery Plan or your Emergency Mode Operation Plan, which are separate requirements of the HIPAA Security Rule . This task basically requires that you have a policy regarding gaining access to a user's EPHI data if they are not available.

The Technical Section

The next section of the HIPAA Security Rule is the Technical Section. The Technical Section consists of several components. The first is Access Control, which consists of 2 required tasks and 2 addressable tasks. The Access Control component requires agencies implement technical policies and procedures for electronic information systems that allow access only to those persons or software programs that have been granted access rights.

Once you have a policy that defines how persons are given the right to access EPHI, this section defines how you will technically insure the policy is enforced. The first required task under Access Control is Unique User Identification. This task requires that agencies assign a unique name and or number for identifying and tracking user identity. This means that all EPHI users must have a unique network login as well as a unique login to any applications that stores EPHI. If you are not using the user name as part of the identification process, the unique name or number must be able to be tracked to a specific user.

Data Backup and Storage

The last Physical Section task is Data Backup and Storage. This is an addressable task that requires agencies create a retrievable, exact copy of EPHI, when needed, before movement of equipment.

This is straight forward. Or is it? If you move a device that contains EPHI you must make a backup BEFORE it is moved. Simple enough. Now what about those laptops? They contain EPHI, they get moved. Here is where the addressable part comes in. It is not practical to do a backup of every laptop before each and every move. This is a reminder however, that nursing laptops contain EPHI and must be evaluated relative to the Security Rule tasks.

Accountability

The Accountability Task of the Physical Section requires agencies maintain a record of the movements of hardware and electronic media and any person responsible therefore. This is an addressable task.

Basically, you must maintain a log of any movements of hardware or media that contains EPHI. The log must include who moved it, when, and who is now in charge of it if appropriate.

Media Re-Use

The Media Re-Use Physical Section task requires agencies implement procedures for removal of EPHI from electronic media before the media are made available for re-use.

This task is similar to the Disposal Task except it addresses those cases when the media or device is going to be re-used as opposed to destroyed. It is best not to re-use backup tapes. They should generally always be destroyed. You may, however wish to re-use a server, workstation, laptop, or other device that may have had EPHI on it. In this case the use of a disk "cleaning" utility will be required. A log of this process should be kept as well.

Disposal

Disposal is the next Physical Section Rule that must be addressed. It is a required task that requires agencies implement policies and procedures to address the final disposition of EPHI, and/or the hardware or electronic media on which it is stored.

You must have a policy and document the disposal of any EPHI related data, hardware, or media. When you dispose of servers, workstations, laptops, or any other portable devices, you must insure that any EPHI data is fully removed. Deleting files or formatting hard disks is not sufficient. There are special software programs that can handle this job or you can physically destroy the hard drive in the device. Retired backup tapes should be destroyed and not used elsewhere, thrown in the garbage, or given to anyone. A Disposal Log must be maintained.