Legal Stuff Our Lawyer Makes Us Say
Please understand that we are not lawyers, nor are we offering legal advice. Take nothing we say in these blog posts as legal advice. If you have any questions about lawyerly-type things, we strongly recommend you ask your lawyer. If you don’t have a lawyer, we’re more than happy to point you in the direction of one that can help.
Auto-Logoff and Auto-Locking
We recommend that all devices have their auto-lock or logoff functionality turned on. This is a feature that is found on all mobile devices, Macs, and Windows computers and is, naturally, a HIPAA requirement. After a given amount of time a computer or device should lock itself or go to a screen saver, which does NOT show the underlying screen, and requires login to get back in. We generally recommend 15 minutes, or less, for computers that are NOT in places where patients can access and 5 minutes or less for computers that are in places where patients or the general public could access them.
If you have any programs that also contain ePHI, they should also be set to auto-logoff. The amount of time it takes before this happens is up to you, but it needs to be reasonable.
Physical Safeguards and Computer Placement
You need to consider where your computers physically reside. Ideally, you would keep them out of places to which patients or other unauthorized persons have easy access. Of course, some practices have computers in the exam rooms, so you would need to consider what extra measures you would need in such a situation. Also, you might consider privacy filters for your screens to help reduce the possibility of someone seeing something they shouldn’t. You could even take the extreme actions to do what they did for the CIA computer in the “Mission: Impossible” movie, but that is likely a bit overkill.
Make sure that no network jacks in public areas, or areas where people will be unsupervised for long periods of times, are connected to the network.
Safeguarding Your Facility
Since the purpose of HIPAA is to protect ePHI from incorrect disclosure, they also include parts about physically safeguarding your facility. This can be something such as:
- Making sure every door has a lock and keeping track of the keys
- Having monitored security cameras
- Actual physical guards
- Identification badges.
What you do here will very heavily depend on the size of your company. Obviously, it isn’t practical for a solo-practice to have a 24/7/365 security staff, but if you are a hospital, you likely should.
For most practices, we would expect either physical keys or some kind of RFID or fingerprint access and perhaps a security or alarm system. Electronic access has the benefit of being able to easily revoke access to an employee upon separation instead of rekeying locks. However electronic access is more expensive to set up than physical keys are. With electronic locks, another consideration is to address the question of personnel safety when the power of system fails. You must determine whether locks “fail open” or “fail closed.” You must ensure that persons cannot be trapped inside in an emergency. Whatever you decide for your company, you need to make sure you document what you chose, why you chose it, and the procedures for dealing with things like employee separation.
Keeping Accurate Maintenance Records
Keeping accurate records of maintenance is another of the procedures we don’t normally find at a small or medium business. We aren’t talking about records for floor cleaning or changing your air filters, but about anything that may affect the physical security of the ePHI. This would include things like:
- Re-keying your locks
- Replacing, removing, moving, or adding security cameras
- Replacing a security door
- Adding or changing your alarm system or codes
This doesn’t have to be anything elaborate, just a date/time, what was done, by whom, and why. Once you’ve logged this information you have to keep it for that 6-year period we’ve discussed before in part 2.
Proper Disposal of Things That Contained ePHI
You need to make sure that you are disposing of things that could contain ePHI appropriately. These days this is mainly hard drives, flash drives, and DVDs/CDs. If you are completely done with these things you need to ensure they are securely erased or destroyed, and that you have records to document proper disposal (which you keep for 6 years). The records should contain information such as, what date it was removed from service, who took it to be destroyed, and a picture or receipt of what steps were taken to erase/destroy it.
If you are going to re-use or re-purpose something that contained ePHI, either internally or externally (donating to charity, for instance), you also need to ensure destruction of ePHI and keep appropriate records as well.
Part of this is also keeping track of what things contained ePHI. You need to keep a log of any device or item that has ePHI on it, including small things like USB drives. This is the only way to ensure everything that contains ePHI is properly disposed of.
Moving Your Devices Around
If you are physically moving your devices around, you should also be keeping track of this. For a single location small practice, you can likely document the intake of a new system and then the retiring and not worry about anything else. For a small multi-location practice, you might need to document if a device is moving between offices. For exact requirements for your practice we advise you consult with your lawyer.
Responding to Security Incidents
In the event you do experience a security breach, you have to respond to it. You have to have policies and procedures in place to deal with such an event. You should first try and mitigate continuing damage from it, if it is ongoing. Then you should attempt to understand what happened to determine what might be done to prevent it from happening again in the future. You have to document everything, and keep it for 6 years as well. Finally, you have to report that breach according to the HIPAA regulations, about which you should consult your legal expert.
Security incidents can be something as “simple” as a ransomware attack all the way through a full-scale penetration of your system by an outside person. It could also be something that happened from someone inside the organization. What exactly constitutes a reportable incident is something else to discuss with your lawyer.
Wow, that is A LOT of Stuff
Yep, it sure is. And remember, this is basically just the minimum kind of stuff you need to think about. It is quite likely that your organization will have some other things that come up in the risk analysis and which require addressing. Also, as the state of technology changes you are likely to see more things classed as “reasonable” for small and medium organizations which will increase your compliance requirements, which brings us to the next part.
Review Your Compliance
HIPAA is not a once-and-done thing. You have to periodically review everything and determine if what you are doing is still reasonable and make changes where they need to be made. This should be done at least once a year, and also any time that you have any major changes to your technological eco-system, such as new software or server upgrades. The good news is that you are free to change any policies and procedures at any time—you just have to keep the old ones around for six years after they were last used.
Remember This Is Not ALL That is HIPAA
This is only the technological side of things. There is actually a fair amount more to HIPAA compliance, most of which deals with under what circumstances and to whom you are allowed to divulge ePHI. There is also the section on your duties in the event of a data breach. For that stuff we, once again, recommend you talk to your lawyer.
Conclusion, For Real This Time
Thanks for taking the time to read through this monster series. We hope that you have gained some valuable insight into HIPAA compliance. If you have questions or concerns, feel free to contact us. If you need help with your HIPAA compliance then we are more than happy to provide it.