5 Security Awareness Tips for HIPAA Compliance
The Healthcare field generates a lot of information that is very private. To address this issue, Congress passed what was originally known as the Kennedy-Kassebaum bill but was later changed to Health Insurance Portability and Accountability Act, or HIPAA. HIPAA was intended to help people carry their health insurance from one company to another, as well as to streamline the movement of medical records from one health care institution to another.
At the micro level, HIPAA covers “‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information”. Protected health information, or PHI, and electronic PHI, or ePHI is the heart of what HIPAA is intended to protect. An example of PHI would be fax containing, and an example of ePHI would be an electronic record on a computer that contains PHI. It should be noted that with the prevalence of computers in the healthcare field, ePHI is the most common form.
With this said, a covered entity or its business associate must protect against the misuse of both forms of PHI. This article details 5 security awareness tips that will help covered entities better protect PHI and maintain compliance with HIPAA.
What is a Covered Entity?
According to HIPAA, a “covered entity” is defined as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Basically, these transactions concern billing and payment for healthcare services or insurance coverage. These covered entities include hospitals, academic medical centers, physicians, and other healthcare providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. General examples of covered entities include institutions, organizations, or persons who work with PHI or ePHI.
Security Awareness Tips
Security Awareness and Training
Security Awareness and training is essential in maintaining HIPAA compliance. Security awareness and training is a required administrative safeguard that a covered entity must employ to meet HIPAA compliance. The subsection of the HIPAA law dealing with security awareness and training is §164.308(a)(5) and states that at a minimum, a covered entity must cover security reminders, malware protection, log-in monitoring, and password management. Security awareness and training should be conducted on a regular basis, annually or more frequently if possible.
Although HIPAA has stated a minimum regarding security awareness and training, it is just a minimum. Covered entities can beef up their security awareness and training by requiring employees to keep a record of possible security violations and how they handled them. The records should be discussed at their annual security awareness and training session.
Encryption is standard in Information Security generally, and it would be smart for a covered entity to implement encryption in their environment. However, what does HIPAA say about encryption? While it is not explicitly mandatory for a covered entity to deploy encryption in their environment, what HIPAA does say is there are only two ways to safeguard against the misuse of PHI: Encrypt it or burn it. Since burning is not the most secure method of data management, to say the least, encryption is definitely the way to go for covered entities. This can be accomplished by encrypting all computers that handle ePHI which normally means all employee workstations and servers that store or process PHI.
Securing Copy/Fax Devices/Scanners with a PIN
Printers, fax devices, and scanners can provide an on-ramp/off-ramp between digital healthcare systems and physical documents. However, these devices produce documents that normally contain PHI and could open a floodgate of HIPAA violations for the covered entity if a third party were to view them. Covered entities can solve this problem by configuring their printers, fax devices, and scanners to require a PIN be entered by the employee who is using the device to retrieve their documents. This easy solution could prevent an unintended violation of HIPAA if a member of the nightly cleaning crew were to view a fax in the fax machine containing PHI.
Physical safeguards are essential for a covered entity to meet HIPAA compliance. Some tips for physical safeguard would include:
- Ensure that covered entity employees lock their computers when they leave their desk, go to break/lunch, and go home. Covered entity employees often deal with a high volume of ePHI, and if a computer with ePHI is unattended and unlocked, anybody can see it whether intended or not.
- The covered entity should use door locks with either PIN codes or key cards. This will keep out individuals with no lawful right to view PHI/ePHI and will secure physical documents and computers.
Clean Desk Policy is a great method to enforce PHI/ePHI security. Often employees at a covered entity will have documents and notes on their desk containing PHI. By simply requiring that employees keep their desks cleaned and locked when they are not at their desk effectively solves this issue.
Keep a Tight Password Policy
Keeping a tight password policy will go a long way in helping to protect PHI/ePHI. Passwords are frequently used to perform most common tasks in a HIPAA regulated office, including logging into computers and accessing emails. By requiring passwords to be at least 8 characters (including capital and lowercase letters, numbers, and symbols) long, it will be nearly impossible for hackers and HIPAA violators to break in. These passwords should be changed at the most every 90 days. Covered entities should instruct their employees to not use their names, birthdays, or any other identifying information in their passwords.