The security requirements of the Health Insurance Portability and Accountability Act (HIPAA) often leave security managers scratching their heads in bewilderment. The enigmatic guidelines set forth frequently raise more questions than they answer, and the resulting misinformation complicates compliance efforts. In our expert webcast Security compliance -- Separating FUD from reality, part two: HIPAA, Kate Borten, president of The Marblehead Group Inc., sets the story straight and separates the truth from fiction. Here, Kate answers some of the questions submitted by listeners during the live broadcast.
Can you give an example of a qualitative or subjective method you've used to value patient health information (PHI)?
It may be more helpful to view PHI in the context of an information classification scheme – which every information security program should include. HIPAA defines PHI as confidential. Security is defined as the assurance of confidentiality, integrity and availability of protected information assets. On the confidentiality scale, an organization may define public data, private or corporate data, confidential data and highly confidential data. Each of these classifications should have its own appropriate set of access and handling controls. Typically, the "confidential" classification includes information such as PHI, payroll and employee data, some legal documents (such as a pending lawsuit), and sometimes business strategy planning documents.
Wireless users jeopardize the security measures of the larger hard-wired network infrastructure that they access. How does the healthcare institution handle the vulnerabilities posed by clinicians who create rogue access points?
Start by developing a reasonable wireless policy that supports the organization's mission but protects information assets. Be sure that the draft policy is reviewed by organization leadership, including at least one physician, to get buy-in. That policy should prohibit establishment of access points by anyone other than designated staff (security or IT) in order to ensure proper control and configuration in accord with the information security program. Develop written procedures for submitting and handling requests for wireless use. Then disseminate this new information through training mechanisms to all affected, particularly the physician community and any others likely to want wireless networking. Finally, monitor compliance through procedures such as periodic war driving.
If data from a healthcare facility is to be transferred to another facility that has a non-disclosure agreement in place, what means of encryption are available or required for CD/DVD-ROMs?
First, HIPAA's security rule does not absolutely require encryption in this case. This is an addressable specification, and each organization must determine whether encryption is an appropriate tool to mitigate risk. (Additionally, the rule does not specify what encryption algorithms to use and their minimum key lengths, but government Web sites such as csrc.nist.gov provide guidance.) However, I recommend using encryption in this case since a CD can easily fall into the wrong hands.
Second, if the two organizations routinely exchange confidential information via CDs, they should agree in advance and in writing on the selected encryption tool(s) and the method for exchanging keys. There are many products available for symmetric file encryption using widely accepted algorithms such as 3DES and AES.
Who or what governing body oversees and enforces HIPAA compliance? Who enforces compliance by the smaller healthcare entities such as group practices? The American Medical Association (AMA) states that for now, the Office for Civil Rights (OCR) oversees this process, not by proactively investigating but by responding to complaints to the OCR or Department of Justice. Is that what your experience/knowledge suggests?
The AMA statement is correct. It is a fact (written in the law) that enforcement of the HIPAA Administrative Simplification rules is complaint-driven only – and at least for the foreseeable future. Privacy rule complaints go to the U.S. Department's Health and Human Services' (HHS) Office for Civil Rights. The OCR handles civil penalties and refers potential criminal complaints to the Department of Justice. All other rules under Administrative Simplification, including the security rule, will be enforced by HHS' Centers for Medicare and Medicaid Services (CMS) Office of HIPAA Standards. This is true of all "covered entities" large and small. There is no government agency or other body that officially audits proactively for HIPAA compliance.