HIPAA and You, A Match Made in Washington – Part 2

Sep 30, 2021 | Uncategorized

This is the second in our series on HIPAA. We’re going to assume you have read part one, so if you have not read part 1 you can find it here. This post will discuss the two steps to HIPAA compliance and start on the details.

Some Things We Aren’t Going to Talk About

As mentioned in Part 1 we are mainly going to be looking at the technical aspects in this and the remaining posts. That is, the regulations that actually have to do directly with computers and technology. To that end we aren’t going to spend much, if any, time going over things like a compliance handbook, non-technical employee training, what you can tell and to whom, etc. For those kinds of things, you need to consult with a lawyer.

Legal Stuff Our Lawyer Makes Us Say

Please understand that we are not lawyers, nor are we offering legal advice. Take nothing we say in these blog posts as legal advice. If you have any questions about lawyerly-type things, we strongly recommend you ask your lawyer. If you don’t have a lawyer, we’re more than happy to point you in the direction of one that can help.

Your First Step Towards Compliance

The first thing you need to do to start your compliance journey is a risk analysis. Everything else you do depends on the results of this analysis. There is no one way to do a HIPAA risk analysis, however the government has helpfully provided a program to help take you through a risk analysis. They have also provided documents to do the same. Regardless of what you use to conduct your analysis, there are some things that must be covered:

  1. You have to identify where, and with whom, your ePHI is created, received, transmitted, stored and maintained.
  2. You have to identify and document reasonable potential threats and vulnerabilities (people or technical).
  3. Assess any current security measures you may have in place.
  4. Determine the likelihood of a threat occurring (low, medium, high).
  5. Determine the impact of a threat occurring (low, medium, high).
  6. Determine the level of risk to your ePHI (and organization) from a threat or vulnerability based upon your current security measures.
  7. List of corrective actions that need to take place to mitigate the risk level.
  8. Document everything (true for ALL HIPAA stuff).
  9. (The Real Kicker) Periodically review and update the risk assessment.

If this seems like a lot of work to you, you are correct, because it really is. A good risk assessment is not usually something that can be done in a single day. This is something that a smaller organization will have a much easier time with than a larger one, as they will have fewer systems, less complexity, and less ePHI, but even for them it will take a good bit of time. While your risk analysis will likely uncover things that we are not going to discuss in these blog posts, most everything we will cover should be considered the basics for ANY client, regardless of the size.A risk analysis is required for both covered entities and business associates (BA). Since HIPAA is only concerned about ePHI, that is all you have to worry about in regards to this risk analysis. However, it won’t hurt your security posture any if you treat all your data with the same concern as your ePHI.

Reasonable

As we’ve mentioned before, the word “reasonable” occurs quite often throughout the regulations. This is because what is sufficient for a solo-practice to achieve compliance might not be sufficient for a hospital. The word reasonable is also included because the authors of the legislation knew that the cyber-security landscape would change rapidly and didn’t want to have to constantly return to update the legislation. The downside is that there is a LOT of wiggle room for people in which to operate. We try to err on the side of caution, so that you don’t have to defend your definition of reasonable to a judge if the auditor isn’t impressed.

Step Two: Fix the Issues

Now that you have completed your risk analysis, you will need to fix any issues that you uncovered. If you have never done a risk analysis before you are likely to have quite a long list of things that need to be addressed. Since technical compliance is only a fraction of what the risk analysis covers you can end up with a wide variety of issues to address, such as:

  • Needing to improve the screening and training procedures for employees
  • Needing to implement policies to deal with employees who violate HIPAA guidelines
  • Having unsupported operating systems that need to be updated
  • Needing to encrypt laptops that contain ePHI
  • Needing to ensure everyone has their own login and doesn’t share login information
  • Needing to capture and regularly review security and audit logs

Since your risk analysis likely includes going over the various HIPAA regulations, after you fix everything you should be good to go… until you have to repeat step one again. Of course, this is like saying “Just find the right person to marry and live happily ever after,” it skips all the details, the blood, sweat, and tears that go into something to actually make it work. So, let’s cover the blood, sweat, and tears.

HIPAA Security Officer – What a Wonderful Job!

Someone is going to need to be appointed the HIPAA Security Officer for your organization. This can be an actual employee or, potentially, an outside vendor. For large organization, this might actually be someone’s full time job, but for a smaller company this is likely just another hat someone wears. The security officer is responsible for the development, implementation, monitoring and review of the aspects of HIPAA compliance that deal with security. This includes, but is not limited to:

  • your technical safeguards
  • your physical safeguards
  • your employee training

They don’t have to actually DO all of those, but they are the person responsible for them.This position is not to be confused with the HIPAA Privacy Officer, which is more about who should be able to see the ePHI.

Logs (and not those made from wood) and Audit Trails

One of the HIPAA requirements, which is kind of out of the ordinary for most small and medium sized businesses, deals with logs and audit trails. Not only do you have to have them, you have to monitor and regularly review them. Now these are good things for every business to do, but truthfully most do not because of costs and manpower constraints. Luckily for you (that was sarcasm, by the way), HIPAA requires it.The logs you should be reviewing are things like anti-virus scan logs, firewall logs, system log-ins, server file access logs, electronic medical records logs, etc. When reviewing these logs, you would be looking for things that would indicate someone has attempted to access your ePHI when or where they shouldn’t or in some inappropriate method. This can be an employee that is accessing ePHI about people they shouldn’t or an outside attacker trying to break in to steal information.One thing that is conspicuously missing from the regulation though is a retention period. Nowhere does it state how long you should be keeping these logs. So, we went to our lawyer asking for some clarification. Note, the following is not to be taken as legal advice, you should consult your own lawyer. His response was that in Alabama you should be keeping the logs for up to 6 years. Normal retention periods can be as short as 90 days, but you should never delete your logs before reviewing them. If there was something in the logs that might indicate a security incident or breach, then you would need to either keep the logs themselves, or a create a complete write up and keep it, for the full 6-year period.To really accomplish reviewing and monitoring your logs, you are likely going to need some kind of tool that can collect logs from various locations. Logs will contain a lot of information, so you will need to filter them to only show, or even alert you, to the things you might care about. While you could go to every device and program that contains any log you might be interested in, that really isn’t something that is feasible for any but the smallest of practices. Exactly what is being monitored, how you monitor it, and how often you review it will all need to come from information that is collected during your risk analysis.

Training – Not Just for Football

Employee training is something we strongly recommend for any company, and it is also a requirement of HIPAA. To satisfy this requirement you have to make sure the workforce is trained on your security policies and procedures. This could include things like:

  • Appropriate use of work computers
  • How to appropriately safeguard passwords
  • What to do if they think they have a virus

It would also be wise to run training on general security topics such phishing and web browsing habits, since these fall under the standard of “security awareness,” and training is one of the best ways to help defend against outside intrusion. There is no frequency for the training listed anywhere, so the exact schedule would be up to you, but we recommend general security training at least once or twice a year.Don’t forget, you need to document the training process so you have records of who was there and who taught it so in the event of an audit you can prove you’re doing it. The records for your training should be kept for at least 6 years.

Employee Computer Use Policy

Every company should have a computer use policy for their employees. It should outline what is considered acceptable use of computers and what is not, and policies on remote access, if any. It should also state that no employee has any expectation of privacy for their use on a company-owned device. You should also have a policy in place that requires employees to log off or lock their computers before they leave for an extended time, just in case the auto-lock feature isn’t functioning correctly (it happens).While a computer use policy is important for any company to have, it is required under HIPAA. Talk to your lawyer about getting a computer use policy drawn up and then getting it signed by everyone.

Conclusion

So, this wraps up part two. Part three will be a riveting rendition on topics like access control, anti-virus, firewalls, and passwords!If you have questions or concerns, feel free to contact us. If you need help with your HIPAA compliance then we are more than happy to provide assistance.