Is that a typo? There are benefits to the HIPAA Security Rule?
Mention HIPAA Security to most people in a medical practice, and you will likely hear something like:
1. We took care of HIPAA years ago.
2. It doesn’t apply to us because we don’t have an EMR/EHR.
3. HIPAA is a total pain in the anatomy; it doesn’t help my practice at all.
These opinions are generally false. HIPAA Privacy, which started late last century and is what most people think of when they hear the word HIPAA, pertains to paper records. HIPAA Security, which governs electronic records, came into being much later, in 2005, and was strengthened significantly in 2009.
HIPAA Security governs any situation in healthcare where electronic patient protected health information (EPHI) occurs, regardless of whether it’s contained in — or transmitted through — an EHR. So virtually any medical practice is governed by HIPAA Security, even if the practice doesn’t have an EHR and even if the practice isn’t planning on trying to qualify for stimulus dollars under ARRA/HITECH.
If you have EPHI in any form, you are subject to the HIPAA Security Rule. Failure to address and comply with the HIPAA Security Rule can subject your practice to severe fines and sanctions.
But how can HIPAA Security be considered a good thing? Although the actual document is nearly 70 pages long, boiled down into the simplest form, it states that any organization must protect EPHI from accidental, unauthorized, or intentional theft, loss, or destruction by sources or individuals either inside or outside the organization.
That still sounds like a mouthful, but embedded in this simplified definition of HIPAA Security are many gems of important security principles that any business — healthcare or not — would be well-served to carefully observe and adopt.
Therefore here is our “top five” list beneficial principles from the HIPAA Security Rule
1. Sections 164.308(a)(4), Role-based security. Users should have different levels of security, based on their job function. It sounds intuitively obvious, but most medical practices — and most businesses — do not carefully control who has access to what data. It is relatively straightforward to do this right. However most Sys Admins don’t, which jeopardizes the security of their system. In healthcare, that’s a HIPAA Security violation. In business in general, it violates IT best practices.
2. Section 164.308(a)(7), Data backup plan. Here again, this sounds obvious to anyone. But many medical practices – and many businesses — do not do this properly. We have seen backup systems that have been failing for months, backup systems that are not set up to back up all critical data, and backup systems that overwrite the backup system every day. Data backup systems should be designed to periodically back up data to external media. The exact rotation (daily, weekly, monthly) depends on how frequently the data changes, and how much appetite the practice has for lost data since the last backup. Special care should be given to where the backup tapes or other media are stored and how they are transported. And online backup creates its own set of issues.
3. Section 164.310(a)(5), “Strong” user names and passwords. Most people — both inside and outside of healthcare — use simple passwords that can be easily guessed by the simplest “brute force” password cracking software. And because jobs are frequently shared by multiple part-time employees, and sometimes to avoid licensing costs, many healthcare entities will use generic or shared user names, like “Nurse Station” or “Billing.” This is a no-no, especially in conjunction with easy to guess passwords. Passwords should have a minimum of 6 characters, and should be a combination of letters, numbers and symbols.
4. Section 164.310(a)(5), Protection against malicious software; software patch management. Most medical facilities fail to keep their systems updated and their operating and security software patched. Software patch management ensures that systems contain the latest software patches and security protection. New software threats arise almost daily, so this is a critical policy.
5. Section 164.310(a)(1), Facility access controls/physical security. Many times servers and data storage systems are not properly secured. They may be in a common area, in the kitchen or supply room, under the front desk or even in a hallway. Core IT systems should be located behind locked doors, with access only by those with a legitimate need. In addition, the area should have adequate space and cooling, good power protection and the equipment should be located up off the floor, away from dust or cleaning liquids.
The HIPAA Security Rule indeed represents good business practices. With the new higher fines resulting from ARRA/HITECH in 2009, medical practices and other covered entities would be well-served to adhere to and adopt the sound IT principles it contains.
It just makes good business sense.
Learn more about Marion K. Jenkins and our other contributing bloggers here.