Feb 27, 2009 (07:02 PM EST)
Time To Get Serious About HIPAA
Read the Original Article at InformationWeek
We expect to see the Centers for Medicare and Medicaid Services -- the unit within the Department of Health and Human Services responsible for compliance with the Health Insurance Portability and Accountability Act -- place greater emphasis on proactive enforcement in the coming year. The impetus is a report issued in October by the HHS inspector general that faults CMS for not providing effective oversight and enforcement of HIPAA security. We're also watching closely to see how the pending appointment of a Cabinet secretary for HHS and the Obama administration's plan to update the nation's electronic medical records system affect HIPAA enforcement.
A common complaint about HIPAA is that the details tend to be fuzzy -- there's no product companies can buy to magically get compliant, and there's no sanctioned checklist to guide you to certification. This is, to a large extent, by design: One goal of HIPAA was to be a one-size-fits-all, technology-neutral regulation.
Many information security pros enjoy this flexibility, while some wish for more guidelines. Whatever your stance, HIPAA requires that IT groups tailor a security program to their specific environments. To help, we pulled together 10 steps that should put companies well on their way to building a security program that will pass muster, just in case the feds come knocking. We've included the basics here; find an expanded version in our special InformationWeek Analytics HIPAA Alert.
1. Assign A Security Official
2. Determine Your Individual Risks
Your risk assessment will guide nearly all of your other implementation steps. But remember: Any assessment is just a snapshot of a point in time, and computing environments are constantly changing. This is why the concept of a security management process is so important. Every time a new system comes online, or a change to an existing system is proposed, the risks need to be assessed. It's at this point that you can decide whether the risk is acceptable, can be transferred using insurance or some other strategy, or needs to be mitigated.
Your Fines May Vary
Sure, $100,000 might not break the bank, but CVS felt the sting
Settlement agreed to in February by CVS pharmacy chain, HHS, and the FTC over potential HIPAA violations
Fine levied against Providence Health System in July 2008 for security lapses
Data: U.S. Department of Health and Human Services
Government security requirements are big on documentation, and HIPAA is no exception. The need for documented policies and standards comes up often in HIPAA's Security Rule. CMS provides a list of sample questions for HIPAA security audits; most involve review of documentation, starting with policies and procedures (see www.cms.hhs.gov/securitystandard).
What needs to be included in your policies and procedures? A good place to start is with the standards in the Security Rule. This introduces a key concept in HIPAA: Standards are either "required" or "addressable." Obviously, required standards have to be implemented, although most of them still provide enough room to customize to your environment. Addressable standards are interesting because they can be met by deciding (and documenting) that a standard isn't applicable to your environment, or that you've addressed the standard in an alternative manner.
4. Know Your Users
HIPAA requires that procedures be in place to identify and respond to security incidents, minimize the harmful effects of incidents, and document them and their resolution. Your incident response needs will be driven by your risk assessment. If Internet attacks are a high risk, you may decide that complex intrusion-detection systems are called for. Large companies may need to have standing incident response teams with forensics experts on staff, while smaller companies could assign these duties to existing staff and plan to outsource specialized tasks during an incident. Whatever your size, documentation of incidents that happen is crucial.
6. Expect The Worst
HIPAA isn't just about protecting data from unauthorized access. As more information needed for patient treatment and billing becomes electronic, it's crucial to ensure that systems are available and the data is trustworthy. Your contingency plan must cover backup and recovery of personal health information, along with preparations for recovering from disasters. Your plan also needs to include preparations for operating under emergency conditions--how business can continue without access to the electronic personal health information, and how you will continue to protect data on your systems during disasters.
7. Control Your Media
8. Train Users, Then Remind Them
HIPAA requires that covered entities record and examine activity in systems that store or use personal health information. The type of high-risk threats you identified in your risk assessment will help you decide what needs to be logged in order to meet this requirement, but it's important to understand the context. The Security Rule goes to great pains to ensure that users are uniquely identified and authenticated. Oftentimes, in a medical setting, it's hard to predict who will need to access which patient's data, and strong limits on this access could cause dangerous delays in treatment.
Instead, reasonable access restrictions should be implemented and followed up with audits of access trails to ensure that employees aren't looking at or modifying records they shouldn't.
10. Clean Up Old Data
Once you've used your inventory to identify outdated data and systems, you need to make the classic closet-cleaner's decision: toss or keep? If there's reason to keep the data, does it need to be accessible? If not, archive it to durable media and store it in a vault or with an off-site data storage company. Data on a tape in a vault isn't susceptible to hackers or curious employees.
Avi Baumstein is an information security analyst at the University of Florida's Health Science Center.