HIPAA Security

Medical records retention has increased to 10 years for federal government. State governments retention polices vary.

Information Blocking comes from the Cures act. It allows a patient access to all of their data and health providers cannot interfere. This allows more interoperability between companies/organizations

RESPONSIBILITIES

Security applies to electronic protected health info (EPHI)

Each covered entity that deals with electronic data has their own risk.

HIPAA security plans ensures CIA: Confidentiality, Integrity and Accessibility.

You should protect against any reasonable anticipated threat, any anticipated uses of data and disclosure of data

You must ensure workforce is compliant.

SAFEGUARDS

Being compliant requires safeguards that are administrative, physical and technical.

Administrative includes policy and procedures. Administrative safeguards are 50% of your security plan.

Physical safeguards prevent unauthorized access to workstations or the building.

Technical safeguards include Information Security, encryption, VPN, firewalls, DMZ, endpoint protect, DLP, etc.

A

WHO NEEDS TO BE COMPLIANT

Short answer: everyone who accesses EPHI. Telehealth requires HIPAA compliant vendors.

Compliant extends to employees who must secure their workspace and internet connection.

5 common areas of non-compliance that can cause a breach:

Leaving PHI on exposed servers

Insecure (non-encrypted) laptops

Using outdated software

Never changing passwords

Lack of training

WHAT ABOUT BREACHES?

A breach is any unauthorized use of unsecured PHI. If a breach occurs, the breach procedure should include:

notification form (including the date of discovery)

mitigating steps

corrective action.

Notification must be sent to affected patients within 60 days. If less than 500 patients are affected by the breach, you must notify HHS secretary annually. If more than 500 patients are affected by the breach, you must notify HHS within 60 days and notify the media.

**How To Do A General Risk Assessment**

Understand the scope of the business. Ex: if you have employees you will need to deal with OSHA laws, finance has to deal with the Sarbanes-Oxley Act, healthcare has to deal with HIPAA.

Catalog of all the laws that apply to the business.

What is the consequence of the requirements if a breach occurs? Ex: High impact, Low impact (Consequences should be outlined in the actual law)

What is the likelihood of the breach occuring (high, medium, low)?

What controls do you have to stop/mitigate a breach? (Sufficient/insufficient or effective/highly effective/non-effective)

How much risk is left over and what is the rating of that risk?