When it comes to HIPAA Risk Analysis, you can’t afford to be too careful. Take this latest breach at New York Presbyterian Hospital and Columbia University for example. One applications developer decided to deactivate a personally owned computer’s firewall restrictions, and disabled everyone’s Firewall protection resulting in searchable ePHI on Google. This breach resulted in the largest HIPAA breach fine ever. $4.8m in fines later, and a few less jobs… I am sure there wasn’t a risk analysis performed.
Despite the administrative groups best efforts to shave costs, their wallets undoubtable got a little thinner. The moral of this story is…”Never skimp in an area that can end up costing you MILLIONS of dollars. If you are fueling a business that has a lot of traffic in ePHI, it is probably best that the health care component stays separate from the rest of your business operations. This process is simple and can be done in house for little money if you know what you are doing. Here are a few ways to capitalize on the things you have control over.
#1 The Risk Analysis
Planning only goes so far. Without the help of a Risk Analysis you are leaving your guard down and if and when the Auditor sees no Risk Analysis on file, you are in for a long ride. A good Risk Analysis will help you find vulnerabilities within all your Physical, Administrative, and Technical Safeguards and give you an idea as to what you should do next. They involve network scans, onsite walk evaluations, Policies and Procedures evaluations, equipment testing, and more. Efficient Risk Analyses are valuable in that it helps to show you are taking “Reasonable and Appropriate” steps to safeguard ePHI/PHI. Learn more about the Risk Analysis Process, it could help you save your business.
#2 Access Authorization Forms
Access Authorization Forms should be a part of your Policies & Procedures. This will allow you to separate and restrict access on paper, and eventually within your network. Depending on the level of Clearance and Authorization of your workforce members, you can make it so only the highest of clearance can access, change, and manipulate settings that allow access to ePHI. Restricted Access is VERY IMPORTANT! This should be one of your highest priorities. If you aren’t comfortable making your own Access Authorization Forms to figure out how!
#3 Business Class Firewalls
In the past you may have been able to go to office max or shop online for any firewall, but with all the HIPAA requirements in the new HITECH Act and Omnibus Final Rule, you are required to monitor ingoing and outgoing traffic to your network. In order to achieve a secure system you need business class. These aren’t the cheapest firewalls, but a small investment now could save you, well…. (LOTS OF MONEY). You will need help setting permissions on this equipment. A good Managed IT Services company will be able to get you everything you need. If you aren’t sure you need a business class firewall, read the latest Office of Civil Rights statements about restricting access Here…
#4 Proper Employee Training
In order to prevent data breach accidents in the workplace you should be actively training your workforce to understand how to maintain HIPAA Security. HIPAA Security Training is paramount to maintaining HIPAA Compliance § 164.308(a)(5). Without the proper understanding you are literally flying in the dark. When it comes to technology, there are a lot of pitfalls that can be avoided by simply implementing adequate Security Awareness Training Programs.
#5 Risk Management
Because technology changes so frequently, you are left wondering what you should do and how it should be done. Besides continued Security Awareness Training, you should be revising and rewriting your Policies & Procedures. After any significant changes to your mode of operations you need to run a Risk Analysis. Be sure to isolate your vulnerabilities and rewrite your Policies & Procedures to cover your new changes. You will need to have retraining done once all the changes have been implemented.
#6 Access Logging
Because HIPAA and the HITECH Act require that you document any access to ePHI, there are some policies and procedures that need to be put in place first. Have your IT staff enable access loging, so you can better see who is logging in at each work station, and which personnel are accessing ePHI. This will help you determine whether your workforce is keeping to the Minimum Necessary rule in the HITECH Act.
#7 Disaster Planning
Your Disaster Contingency plan is not just required by HIPAA (§ 164.308(a)(7) pg29), but it is just good best practice for running a business.
Ask yourself these questions:
- – What would happen if I lost 24hours worth of billable time or progress on a project?
- – Do I have a viable backup I can retrieve?
- – How will I get my buisness up and running again?
- – How will I maintain security without prior infrastructure or working servers & firewalls?
We have thought of all those things, and a good Contingency, and Disaster Recovery Plan are what’s expected. This of course is on top of your detailed account of how the business will run in the event of a disaster (§ 164.308(a)(7) pg 30). All of this put together will be called your Emergency Mode Operation Plan as defined in NIST’s publication of the security rule.