We’ve all been inundated with the headlines in the last six months regarding Cyber Security Breaches. The resulting fines, loss of credibility and reputation, and damages to businesses in the court of public opinion are hard to overcome. I think all of us have had our share of scares when we read about breaches at large companies that we may frequent, and the potential loss of our own personal data.
With Healthcare, we have the new Final Rules that were released in September 2013, and the security considerations for any practice, hospital, or business associate are serious. These can include DME vendors, accountants, attorneys, nursing homes and long-term care facilities, and a variety of other business associates who may be involved with their clients’ Protected Health Information, or PHI.
Most business associates are familiar with being presented with a lengthy Business Associate Agreement, a document that spells out in legal terminology the access and security that must be maintained with protected health information. Most of us have seen something that looks like this:
“Security Obligations. Business Associate agrees that the electronic PHI of Covered Entity will be subject to the security requirements of and Business Associate shall comply with sections 164.308, 164.310, 164.312 and 164.316 of title 45, Code of Federal Regulations.”
Although it’s critical to look at the Code of Federal Regulations in detail to make sure you understand exactly what you’re signing, many organizations fail to take the time to research what exactly this means to their company. This string of numbers translates into some very detailed requirements for all guardians of PHI. I encourage anyone working with PHI to sit down with their executive team and IT support to review these regulations and determine how your organization can comply.
One of the key components in the Administrative safeguards is to have policies and systems in place “to prevent, detect, contain and correct security violations.” With electronic data, this takes on a whole new meaning. It is a regulatory requirement that a Risk Analysis be performed to identify vulnerabilities, and then that an organization implement Risk Management procedures.
For any organization with internet access, there is always a risk of breech from hackers. They have become more and more sophisticated with a variety of viruses, worms, Trojans, etc.
Vulnerability testing, also called Risk Analysis, for electronic systems usually requires a third party expert.
Below, I am highlighting some of the regulations that you must be addressing in your organization immediately. This material is easily retrievable from an internet search for the Code of Federal Regulations.
Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
This is a lengthy section that addresses your facilities, disaster recovery plans, security levels, maintenance records, backup plans, workstation uses, etc. You should read this section in total to make sure your facility meets the physical security requirements of the regulations.
(2) (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(b)(1) Standard: Documentation. (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
(2) Implementation specifications:
(i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
If you are overwhelmed by this and don’t know where to start, my recommendation is to get a Risk Analysis completed for your organization. This should include a review of office policies, a physical assessment, and also a technical assessment for your electronic network. It is highly recommended that you utilize a third party to give you a clear view of your situation.
From this, you will be able to draw a roadmap for 2014 and forward. Your organization can be aware of the risks and vulnerabilities of its current operating structure and put plans in place to mitigate the risks and ensure regulatory compliance.