HIPAA Security Rule – Addressable, not Optional!
By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting
Everyone complains that the HIPAA Security Rule is inconvenient— which it is— but it doesn’t mean you can break the security rules in your medical office any more than you can break security rules at airports, government buildings, and sporting events. Here are a few examples of the HIPAA Security Rule Required and Addressable controls that we see medical practices ignoring on a regular basis.
The HIPAA Security Rule’s Implementation Specifications are identified as being Required or Addressable. Addressable specifications are sometimes confused as being Optional, which is not true.
The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.” If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision.
Required Controls
These controls are firm and you have no way to avoid them.
Unique User Identification – Required
No shared logins and passwords are allowed by the HIPAA Security Rule—none. All systems that provide access to electronic Protected Health Information (ePHI) must be able to track users and what files they create, access, and modify. This includes IT staff and outsourced IT providers that access systems housing patient information.
Risk Analysis – Required
The very first requirement in the HIPAA Security Rule. HIPAA doesn’t say much but the Office for Civil Rights (OCR) offers guidance for smaller practices and the National Institute of Standards and Technology (NIST) has a free 95-page guide. Beware… the Meaningful Use Office of the National Coordinator (ONC) says, “It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.” If you want to pass an audit think twice about doing this yourself. Most HIPAA fines are based on a missing, old, or incomplete Risk Analysis.
Risk Management – Required
Many practices stop at the Risk Analysis and put it on the shelf in case of an audit. The HIPAA Security Rule requires you to document the actions you are going to take to reduce your risks or deal with them.
Disaster Plan
““Establish (and implement as needed) procedures to restore any loss of data.” Think less than more. While common sense says every medical organization and business should have a plan to survive a disaster, the HIPAA Security Rule only cares about access to patient data. Document how you will recover access to your data and you will comply with the HIPAA Security Rule. Document how you will communicate with your staff, work from an alternate site, and operate after a disaster, and your organization will survive.
Business Associate Agreements – Required
The HIPAA Security Rule in 2005 did not give the HIPAA enforcers power to penalize Business Associates for breaches. This all changed with the HIPAA Omnibus Final Rule in 2013. Business Associate Agreements with new wording are required. Covered Entities are liable for the compliance of their Business Associates, and their Business Associates’ subcontractors. Don’t stop with the paperwork. Since you are liable you should validate that your vendors and their vendors actually comply with HIPAA.
Audit Controls – Required
While everyone thinks their patient data is housed exclusively in their EHR system, it is all over the place—server folders, laptops, desktop computer hard drives, portable drives, and smartphones. The HIPAA Security Rule requires that access logs be created and stored for six years. To do this your network must be a Domain, not a Workgroup.
Addressable (not Optional!) Controls
If you don’t think these are reasonable for your organization, you must identify a suitable alternative and document the reasons for your decision. Ignoring Addressable controls is a HIPAA Security Rule violation and is likely to cause a reportable data breach.
Encryption (data at rest) – Addressable
Encryption = No Data Breach. With all the reported data breaches why this isn’t Required by the HIPAA Security Rule is beyond me. Encrypting data is not expensive and a device with encrypted data that is lost or stolen is not reportable. Recently Advocate Health Care in Chicago had four computers stolen and breached 4 million records. An Omnicell technician had his laptop stolen and breached 68,000 records. Would you rather pay millions of dollars to notify patients and pay fines or a lot less to encrypt your devices? Don’t stop at laptops—encrypt everything from thumb drives to servers.
Automatic Logoff/Lockout – Addressable
“This is so inconvenient!”
“It slows our doctors down!”
“It’s such a pain to keep logging in!”
Deal with it, since the alternatives are pretty ugly and expensive to keep patients from having access to an unlocked computer with access to patient records. You could leave the patients in the waiting room while the doctor waits for them in the examining room. You could hire ‘watchers’ to sit in each examining room all day to ensure that patients don’t touch the computer. Be reasonable. Automatic logoff/lockout is far easier and much less expensive. This also extends to remote sessions from home.
Bottom Line – My advice is to consider all HIPAA Security Rule Implementation Specifications Required. You will be compliant, more secure, and reduce the risk of a reportable data breach, millions of dollars in costs, and tons of grief.