Early Observations

Now that the HIPAA Security Rule has been in effect for almost a month, I have had the opportunity to see how well agencies are actually implementing the rule. It's a mixed bag but here are a few things to think about.

1. If a workstation or laptop containing EPHI is seriously infected with Spyware or a Virus, it is considered a Security Incident and must be logged in your Security Incident Log. (See the 12/21/04 post on this blog).

2. If a workstation or laptop containing EPHI is lost in a fire or some other type of accident it is a Security Incident and must be logged in your Security Incident Log and must be documented in your Equipment Disposal Log. The same is true if the device is stolen. Other steps may need to be taken as well such as changing passwords, notifying authorities, etc.

3. If servers, workstations, laptops, or other devices containing EPHI are showing errors in their Security Event Logs, this may be a Security Incident and must be logged in your Security Incident Log.

The Risk assessment requirement of the Security Rule should have produced a list of all devices that contain EPHI. This list is very useful for determining which of the above incidents may or may not need to be logged.

Each of these types of incidents has occurred in the last month to our some of our Clients. In each case I'm not sure that HIPAA Security compliance popped up the way it should have. We have all spent a lot of time creating policies and procedures to meet the requirements of the Rule. Let's make sure that we practice what we defined.