April 29, 2014

Question:

Jennifer,

I've ordered HIPAA forms from your firm. Does that mean I'm in compliance with HIPAA?

Please let me know.

Thanks,
Dr. P

Answer:

Dr. P, thank you for the question.  The answer is yes, and no. If you've ordered our HIPAA compliance documents then you are in compliance with the requirement that you keep written policies and procedures in place to conform to the HIPAA Rules, including the Security Rule governing electronic protected health information [45 C.F.R. 164.306], assuming you have our all-in-one. The "no" part of my answer is because having the forms on file is not enough to be HIPAA compliant; HIPAA compliance requires that your practice is actually following the guidelines, safeguards and training required in your written policies and procedures. 

One such requirement under HIPAA is for practices to regularly review the administrative, physical and technical safeguards they have in place to protect the security of electronic protected health information (as required by your Security Policy).  On March 28, 2014 the Department of Health and Human Services ("HHS") announced having released a security risk assessment tool to help providers with HIPAA compliance.  HHS makes it very clear in its disclaimer that use of the tool is NOT required and does NOT guarantee compliance through use.  However, for practices interested, the risk assessment tool offers assessment for:

The risk assessment tool is intended to assist "health care providers in uncovering potential weaknesses in their security policies, processes and systems... [and] address vulnerabilities, potentially preventing health data breaches or other adverse security events."

An example of how the risk assessment tool works follows the risk assessment tool identifies a potential area of exposure and a standard - for instance in the Physical Safeguards -

Standard Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?  

A series short questions if the answer to the Standard is no, including why you do not have an inventory - is it cost related, practice size, complexity or is an alternate solution available?  Does the no answer, in your assessment, present a risk to PHI security?  If so, how much risk? Once a risk is identified in the risk assessment, the tool provides advice on how to address - in this instance, the following:

Things to Consider to Help Answer the Question:
Identify the areas where your practice has information systems and equipment that create, transmit, or store ePHI. Include all buildings and rooms within it that have data centers, areas where equipment is stored, IT administrative offices, workstation locations, and other sites.

Information systems normally include hardware, software, information, data, applications, and communications.

Possible Threats and Vulnerabilities:
If your practice does not have an inventory, you may not be able to identify all of the workstations, portable devices, or medical devices that collect, use, or store ePHI.

Some potential impacts include:

  • Natural threats, such as hurricanes, tornadoes, and earthquakes, which can cause damage or loss of ePHI.
  • Human threats, such as an unauthorized user who can vandalize or compromise the integrity of ePHI. Unauthorized disclosure and loss or theft of ePHI can lead to identity theft.

Examples of Safeguards:
Some potential safeguards to use against possible threats/vulnerabilities. NOTE: The safeguards you may choose will depend on the degree of risk (likelihood) and the potential harm that the threat/vulnerability poses to you and the individuals who are the subjects of the ePHI.

Have policies and procedures that are designed to control physical access to information systems that have ePHI, including facilities and rooms within them where your information systems are located. [45 CFR §164.310(a)(1)]

Identify all facility locations that your practice owns, rents, or occupies, where ePHI is collected, created, processed, or stored so that your practice can: 

Establish physical access control procedures to:

  • Limit entrance to and exit of the facility using one or more physical access methods.
  • Control access to areas within the facility that are designated as publicly accessible.
  • Secure keys, combinations, and other physical access devices.
[NIST SP 800-53 PE-3]

Establish physical access authorization procedures to:

  • Develop and maintain a list of individuals with authorized access to the facility.
  • Issue authorization credentials.
[NIST SP 800-53 PE-2]

Establish policy and procedures to control access to ePHI data by output devices such as printers, fax machines, and copiers in order to prevent unauthorized individuals from obtaining the output.
[NIST SP 800-53 PE-5]

And once complete, the tool moves on the the next topic.  As you may have already guessed reading through the recommended steps for the Standard example above related to inventory, much of the advice in the risk assessment tool is repetitive and makes reference to your written procedures.  However, use of the tool may prove beneficial, especially for tech reliant and mid to larger size practices.  In utilizing, you may find it beneficial to engage your attorney or an outside expert to assist in your risk assessment and thereafter customizing your policies and procedures.

For assistance with risk assessment or policies and procedures, feel free to contact Jennifer by email or at 516 747 6700 x. 302.  We are happy to work with you, and we do charge a flat rate for the analysis and remediation plans (price varies depending on practice size and location).

 

Brought to you by: Jennifer Kirschenbaum, Esq., Kirschenbaum & Kirschenbaum, P.C.