Hurricane Harvey serves as an important reminder to review and revise your HIPAA policies and procedures.
Disasters, which can ultimately lead to a data breach, come in various forms – natural, man-made and technical. HIPAA, the HITECH Act, the Federal Trade Commission and the Securities and Exchange Commission are just a handful of entities requiring that the confidentiality, integrity and availability of the sensitive information (e.g., protected health information (PHI) and personally identifiable information (PII)) remain intact. Although federal HIPAA has distinct categories (e.g., covered entity, business associate, and subcontractor), other state or federal government entities use "covered entity" to mean any person that creates, receives, maintains or transmits PHI or PII.
HIPAA sets forth three main categories of safeguards: administrative, physical, and technical safeguards. Often times, these categories overlap. For example, the administrative requirement of a sanction policy compliments the physical requirement of two-factor identification for building access.
Below are a couple of select sections from the Code of Federal Regulations (CFR), which organizations should be particularly vigilant about in relation to disasters.
•45 CFR §164.310 (Physical) – requires that policies and procedures for facility access in order to restore lost data under the disaster recovery and emergency access plan.
•45 CFR §164.308 (Administrative Safeguards) – multiple requirements are set forth under this particular section of the CFR. For example:
•Security management process
•Annual risk analysis
•Information activity review
•Workforce clearance procedure
•Security awareness training
In particular, attention should be given to 45 CFR §164.308(7)(i), (ii)(A)-(E). These sections address data back-up, recovery, and emergency mode plans. Training should complement the contents and requirements of various employees during a disaster. For example, if support personnel cannot make it to the office, do they have an appropriate alternative environment for calling customers? If a disaster occurs during the day and many people are at work and cannot make it home, do they know what they are responsible for taking with them, where they may be meeting up and whether or not they have a Wi-Fi hot spot to work from in a hotel or coffee shop?
A disaster can strike at any time. Failing to be prepared could lead to an even costlier breach. That's why it is important for providers, as well as their business associates and subcontractors to do the following:
•Train employees on disaster scenarios regularly.
•Conduct drills a couple of times a year.
•Back-up all data.
•Make sure that policies and procedures are complete and relevant to the practice and region that a particular office or hospital is situated in.
Mother Nature will always be unpredictable, so the best thing a practice can do is be prepared for the worst, especially when it comes to data security.