In the waning days of 2006, the Department of Health and Human Services (HHS) issued a HIPAA security guidance concerning the use of portable media and devices as well as the offsite access and transmission of electronic protected health information. The guidance comes in the wake of numerous security incidents that have been covered by the press over the last year or so.
Emphasizing the importance of the guidance, HHS noted that it “may rely upon this guidance document in determining whether or not the actions of a covered entity are reasonable and appropriate for safeguarding the confidentiality, integrity and availability of [electronic protected health information], and it may be given deference in any administrative hearing” under the HIPAA enforcement rule. Accordingly, covered entities should review this document carefully.
By way of background, the security standards currently regulate only protected health information stored or transmitted electronically. The guidance notes that Centers for Medicare and Medicaid Services has delegated authority to enforce the HIPAA security standards with the Office for Civil Rights having enforcement authority over the privacy standards.
HHS lays out examples of the type of portable media about which it has concerns: laptops, home-based personal computers, personal digital systems or PDAs, smart phones, public works stations, wireless access points, USB flash drives, memory cards, floppy disks, CDs, DVDs, back-up media, e?mail, smart cards, and remote access devices.
Not surprisingly, the core message is that covered entities should be extremely cautious about allowing the offsite use of or access to electronic protected health information. Covered entities should permit such use or access only when there is a “business case,” such as a home health visit or a physician accessing an e?prescribing application while out of the office. Even when a business case is justified, offsite use of or access to electronic protected health information should occur “only where great rigor has been taken to ensure that policies, procedures and workforce training has been effectively deployed, and access is provided consistent with the applicable requirements of the HIPAA privacy rules.”
Recognizing that the security standards allow a great deal of flexibility in implementation, the guidance document identifies three key areas to which covered entities should give “significant emphasis and attention”:
- Risk analysis and risk management strategies, which are the heart and soul of security compliance
- Policies and procedures for safeguarding electronic protected health information, which are derived from the risk analysis and risk management process
- Security awareness and training on the policies and procedures for safeguarding electronic protected health information. Policies and procedures, no matter how well designed, will not be effective unless the workforce receives appropriate training.
HHS highlights three key areas of concern for remote use of and access to electronic protected health information – access, storage, and transmission. The guidance document provides a chart for each of these key areas, listing the risk and possible risk management strategies to address the identified vulnerability. The possible risk management strategies are arranged with more basic solutions first, followed by more complex or sophisticated approaches. These charts build upon each other and do not repeat strategies from risk to risk. Although the guidance does not specifically require each of these risk management strategies, a covered entity would do well to analyze carefully each of these options, strive to implement as many of these as appropriate (and to document the reason particular strategies are not appropriate) and explore other potential risk management approaches.
The guidance document calls out the importance of “clear and concise” training and workforce awareness, particularly in the key areas of accessing, storing and transmitting electronic protected health information. If applicable, training should cover:
- Password management procedures
- Remote device/media protection (specifically reinforcing policies that prohibit leaving devices/media in unattended cars or public thoroughfares)
- Policies prohibiting the transmission of electronic protected health information over open networks (including email) or downloading electronic protected health information to public or remote computers.
In the event of security incidents and non-compliance, a covered entity must take actions to manage the harmful effects of any loss. Covered entities should have security incident procedures that may include securing and preserving evidence, managing the harmful effects of improper use or disclosure and notifying of affected parties. Of course, a covered entity should evaluate any security incidents as part of its on-going risk management initiative. Of note, the guidance does not specifically require notification but does include notification as a possible security incident procedure.
A sanction policy must be in place and be effectively communicated to the workforce so they understand the consequences of failing to comply with security policies and procedures. The guidance suggests that a covered entity “should consider at least requiring employees to sign a statement of adherence to security policies and procedures as a prerequisite to employment.” If not already doing so, covered entities may want to give consideration to requiring such statements or confidentiality agreements.