Documentation Requirements

The HIPAA Security Rule includes several required tasks regarding documentation of your HIPAA Security Rule policies and procedures. The requirement is that agencies maintain the policies and procedures implemented to comply with the Security Rule in written and/or electronic form and if an action, activity, or assessment is required to be documented, it is to be done so in written or electronic format.

There are 3 requirements for your documentation;

• Retain the documentation required for 6 years from the date of its creation or the date when it was last in effect, whichever is later.
• Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
• Review documentation periodically, and update as needed in response to environmental or operational changes affecting the security of EPHI.

That's it! We're done! You deserve a gold star if you've gotten this far. More importantly, if you've met all of these requirements your agency is HIPAA Security Rule compliant. Congratulations!

I will continue to use this Blog to answer HIPAA related questions and distribute any new related information. I hope this Blog has been useful in making your agency compliant with the HIPAA Security Rule.

Encryption

The last item under the Transmission Security task of the Technical Section is Encryption. This is an addressable item that requires that agencies implement a mechanism to encrypt EPHI whenever deemed appropriate.

Unfortunately, there is no guideline given for the type of encryption to use. In order to use encryption both the sender and receiver must agree upon an encryption method and share parts of the encryption keys. This process would only come into play when transmitting EPHI. For the most part agencies are tied to the methods of transmission required by Medicare, Medicaid, etc. If you are transmitting EPHI to other locations you may need to develop an encryption mechanism.

This is the last item in the HIPAA Security Rule. My next post will detail some documentation requirements that fall outside of the Administrative, Physical, and Technical sections of the rule.

Integrity Controls

The next Technical Section task is Integrity Controls. It is an addressable task that requires agencies implement security measures to insure that electronically transmitted EPHI is not improperly modified without detection until disposed.

All communications programs provide some type of Integrity Controls. For most agencies this task will be satisfied by those programs. If you have developed any unique communications mechanisms you must evaluate this task more in depth.

Transmission Security

This Technical Section task requires agencies implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.

For most agencies the methods that are used to transmit EPHI data are not under their control. Medicare and Medicaid dictate how you must transmit to them. In both cases however, you have user names and passwords. These items should be treated the same as your network user names and passwords, with the highest level of security. Only those users that need access to these processes should have these passwords.

Remote updating or syncing of data for nurse's laptops also fall under this task. You must have user names and passwords for any user that is connecting and transmitting EPHI data from outside your office. These passwords must be kept secure.

Person or Entity Authentication

This part of the Technical Rule requires agencies implement procedures to verify that a person or entity seeking access to EPHI is the one claimed.

Login passwords, login logging, and proper user security implementation will satisfy this task for most agencies.

Mechanism To Authenticate EPHI

The only subtask under the Integrity task is a Mechanism to authenticate EPHI. This is an addressable task that requires agencies implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner.

Virus protection, Spyware protection, Windows Updates, firewall protection, access controls, login logging, and many of the other items that are covered in this rule result in meeting this task as best as can be expected for most agencies.