Legal Stuff Our Lawyer Makes Us Say
Please understand that we are not lawyers, nor are we offering legal advice. Take nothing we say in these blog posts as legal advice. If you have any questions about lawyerly-type things, we strongly recommend you ask your lawyer. If you don’t have a lawyer, we’re more than happy to point you in the direction of one that can help.
Business Continuity and Disaster Recovery
Having business continuity and disaster recovery plans in place is likely the single largest part of HIPAA compliance, as far as paperwork is concerned. An in-depth coverage of this topic would be its own blog post, which we have not yet written (but this post will be updated when we do). Bare bones, it would be something like this:
Think of Bad Things that Might Happen
You need to sit down and come up with likely scenarios which would impact your business and your ability to access your ePHI. This would include, among others, incidents that may prevent you from accessing your buildings (gas line rupture), incidents where the ePHI isn’t available (power outage or server failure), and incidents where your building and everything in it is gone (tornado, fire, or flood).
Come up With Solutions
For each of those scenarios you would need to come up with plans for what you would do as a business in order to continue working, if necessary, and plans to access/restore your ePHI. If you don’t deal with ePHI that would be considered life-threatening to be without (let’s say you’re a dermatologist), then your solutions here will likely be radically different than a hospital where someone will likely die without the information.
You also need to consider what you need to do to help make sure your ePHI stays secure in these scenarios. Perhaps you might need to have security guards to stand watch over your office if it was broken into and the door destroyed. If your building is gone and you are allowing people to access the ePHI from remote locations, and you normally wouldn’t, you would need policies in place to maintain compliance then as well.
Test and Revise
The last part of any business continuity or disaster recovery plan is to actually sit down and test it out and then revise it where deficiencies are found. Now obviously we aren’t talking about taking a literal torch to your servers to make sure your plan works. This is more along the lines of doing table top exercises. Attempt to make the exercises as realistic as possible, to make it the best test you actually can. You don’t want to discover your plans and systems won’t work like you expect when you are in the middle of an actual disaster.
Appropriate backup is a critical part of any business, not just HIPAA compliance, as we’ve talked about before. Backup is also a key part of any business continuity and disaster recovery plan, and what kind of solution(s) you chose for backup will be very dependent on those plans.
In order to maintain your compliance, you have to be able to retrieve exact copies of ePHI. This means you should also TEST your backup on a regular basis. Something else you should do is classify your data and applications by criticality. For smaller organizations all your data may be equally important. However, as you, and your data, grow in size it is likely that you will have things that have to be restored right away, things that can wait a little while, and things that can wait a long while. Knowing what has to be brought back first will help get you going faster after a disaster.
Encrypting all of your data, not just your ePHI, is a good business practice, regardless of HIPAA. We strongly recommend everyone encrypt any laptops or mobile devices they use for business. We’ve written more about general encryption here. If your medical records program offers an option to encrypt your data, you should consider it. Determining exactly what and how much of your data you should encrypt should be a result of your risk assessment.
You also need to make sure that anytime you are storing data on removable media, such as flash drives or DVDs, you encrypt the data. That way, if you lose the item you are not required to report it as a HIPAA breach.
Securely Transmit Your Data
One item that we see violated quite often is the requirement to securely transmit your ePHI. This means on your internal network as well as the internet. Now, if you have secured your internal network (like we talked about previously in part 3) you likely do not need to implement any encryption technology on it, but the Internet is another matter.
ePHI should NEVER be transmitted over the internet in an unencrypted format. Not only does it need to be encrypted, it needs to be securely encrypted. There are several old mechanisms out there for encryption which are no longer considered secure, but we still find them being used from time to time. However, the two big offenders we most often find, in regards to unsecured communications, are unsecured remote access to networks and emailing ePHI.
Unsecured Remote Access
We often see companies that are allowing access to their systems via Microsoft Remote Desktop, and are not requiring a virtual private network (VPN) connection to do so. Using Remote Desktop Protocol (RDP) connections across the internet without a VPN is not considered safe and has been determined to be the likely attack vector in recent outbreaks of ransomware, therefore to maintain your security, you should NEVER allow anyone to remotely access your network without a VPN connection. You also need to make sure you are using a VPN system that requires unique login information. The VPNs you find on your consumer grade firewalls will generally not suffice.
If you do want to allow someone to remotely access your network, you also need to make sure that the devices they are using to do so meet your compliance requirements. What this comes down to is that YOU need to own and control those devices. They should not access your network from their home or personal computers.
Never email ePHI using normal email. There is no guarantee of encryption or privacy with normal email. If you are using a reputable vendor, like Microsoft Office 365, then yes, your connection to them should be encrypted, and if you are only emailing someone else in your company, then they are on the same system, and their connection should likewise be encrypted. The email shouldn’t be leaving Microsoft’s cloud, so the likelihood of interception or unwanted revelation is low, but we would still say not to risk it. This is one of those lines we stay away from. Also, if you accidently type in the wrong address, then oopsie, you have an unintentional disclosure of ePHI.
If you need to email ePHI, there are secure email services out there that will help you with this. Traditional email has only had security tacked on to it after the fact and can be viewed as sending a postcard through the mail. Secure email systems are built differently from the ground up and only transmit mail in an encrypted format. If the person receiving the mail doesn’t have a compatible mail vendor then they get notification to log into a secure portal to get the email, kind of like the way you bank works. No, these systems are not free, but each time you email a patient in an insecure format it counts as an infraction, and these infractions would likely be the kind that are at least $1,000 each email.
A second possible method of secure transmission would be sending the email with nothing in it but an encrypted document. The recipient would need to have already gotten the decryption key or pass phrase from you by a different transmission method, the phone for instance. You have to make sure you encrypt EVERY file you send, or that’s a violation.
A third method would be to use a file sync and share utility, such as Dropbox or Box, that will sign a business associate agreement (BAA) with you. The idea here being that you would only send them a link to a document they could download, and the link would require a password to access and the password would be given via a different transmission method.
If you are using a free file sync and share utility, such as Dropbox or Google Drive, you are likely violating HIPAA. However, most of these services offer a pay version that you can use and with which they will sign a BAA, but without that BAA you are NOT in compliance.
You might hear someone talk about data integrity with regards to HIPAA compliance. Data integrity in this instance means ensuring that the ePHI has not been destroyed or altered in an unauthorized manner. This one is actually pretty tricky to accomplish, and is actually where “reasonable” will likely be in your favor. Most of the rest of HIPAA compliance is really built around the concept of helping you maintain data integrity. For most practices, the only extra step you would likely have to consider is: if your medical records software included some form of integrity check option, ensure it is turned on.
So, this wraps up part four. The final post focuses on physical security of your ePHI. Stay tuned for that exciting information!
If you have questions or concerns, feel free to contact us. If you need help with your HIPAA compliance then we are more than happy to provide it.