HIPAA SECURITY TIPS Many health care providers are familiar with the privacy standards under HIPAA, which took effect in April of 2003. The next major component of HIPAA that must be implemented is the "security" standards. The security standards address administrative, physical, and technical safeguards Covered Entities must put into place to protect patient health information. They go a step beyond the privacy standards and get to the actual nuts and bolts of protecting patient health information. To assist our health care clients and friends in their implementation efforts, we recently launched HIPAA Security Tips, a weekly series of helpful implementation how-to's that will be delivered free by e-mail. Each tip will cover a specific topic of a required HIPAA security policy. We'll touch on a different policy each week right up to the compliance deadline of April 20, 2005. The following tips are in chronological order, with the most recent tip first. HIPAA Security Tips are free and available to anyone. To subscribe, send an e-mail to hipaa@icrh.com with "Subscribe" in the subject line. #35: Information System Activity Review (April 19, 2005) Under the final HIPAA Security Rule, covered entities must implement procedures to regularly review records of information system activity. This is a required standard and must be implemented by all covered entities. This rule dovetails with other security standards, such as the requirement for audit controls, the requirement for monitoring log-in attempts, and the requirement for tracking and reporting security incidents. The information system activity review standard controls how and how often these reporting documents and information are reviewed. There is, unfortunately, no universal recommendation for the scope and frequency of information system activity review. Logs and reports concerning applications with higher risk and/or higher criticality should be reviewed more often. Unusual failed login attempts, for example, should be detected and followed up on in a period of days, not weeks. Lower risk applications, such as web browsing where firewalls and antivirus software are both present, may warrant a less frequent review. As a general rule, no process which merits logging should be reviewed less frequently than at 90 day intervals. Above all, ensure that the reviewers of the logs are different than the individuals whose activity is tracked by the logs. Otherwise, the review process is rendered ineffective. Determining how long logs should be retained also raises some interesting questions. Some consultants will say that HIPAA requires retention of all logs for at least six years. That probably overstates the rule's requirement. It is true that the final Security Rule includes a documentation retention requirement of six years. A careful reading, however, demonstrates that where a specific activity or assessment is required, only a record of the activity or assessment need be retained for six years. It is not necessary to retain all supporting documentation for the full period. If, for example, internet server logs are reviewed monthly, a contemporaneous record of the review (a checksheet, for example, initialed and dated upon review of the log) would suffice to be maintained for the six year period, not necessarily the entire log itself. How long the actual log should be maintained depends again on the criticality of the data tracked by the log, the organization's overall risk analysis, and other factors such as redundancy, the robustness of other security measures, and the reasonableness of a shorter versus a longer retention period. On that last point, note that continuously falling prices for long term data storage make cost a shrinking factor even for small and mid-size organizations. #34: Maintenance Records (April 7, 2005) Covered entities must implement policies and procedures for documenting repairs and modifications to the physical components of a facility related to security. The "maintenance records" requirement is an addressable implementation specification under the Facility Access Controls standard. Covered Entities must implement the specification unless it is inappropriate or unreasonable and cannot be met through an alternative measure. Numerous specifications require Covered Entities to evaluate and update physical components of their security systems. (See Tips #13, #14, and #16.) The maintenance records specification requires a Covered Entity to maintain records of the installation, modifications and updates, routine maintenance, and repair of these components. Virtually all Covered Entities will employ some physical components related to security. The regulations cite "hardware, walls, doors and locks" as examples of physical components related to security. Depending on the size of the Covered Entity, physical components could also include grounds security (gates, alarms, and communication systems), building security (doors, walls, hardware, window bars, locks, fireproofing, sprinkler systems, and smoke detectors), equipment and devices used by security personnel (televisions, monitors, radios, pagers), and information system security (computers, servers, back up systems). Maintenance records are an excellent way to demonstrate security compliance efforts. Maintenance records can be used to document the installation of security measures, the monitoring and update of the systems, and action taken in the event of a detected breach or weakness in the systems. Do not limit maintenance records to a simple log of repairs and updates. Very often maintenance will be conducted by a third party, presenting the risk of introducing unauthorized persons into the facility and/or systems. Where appropriate and reasonable, Covered Entities should screen and supervise persons providing maintenance services. Make records of screening and supervisory efforts part of the maintenance records, too. As noted in Tip # 11, at times a Covered Entity relies upon a third party, such as a landlord, to provide and maintain a physical component of security. Contacts with the third party regarding installation, updating and repair of physical security components should be documented and included in maintenance records. As the Security Rule provides no specific time frame for retaining maintenance records, the general Privacy and Security rule standard of six years would assure compliance. #33: Sanction Policy (April 1, 2005) Covered entities must adopt a sanction policy that applies "appropriate" sanctions against employees violating security policies and procedures. This is a required administrative safeguard and must be implemented by all covered entities. The sanctions policy is an element of the entity's security management process, which includes a risk analysis (Tip #12), risk management measures and information system activity review. Do not wait to develop a sanctions policy until after an employee has violated security policies and procedures. Like all other policies required under the Security Rule, the sanctions policy should be in place on or before April 21, 2005. The sanctions policy serves the same purpose as the disciplinary mechanisms that are a required element of an effective compliance program. It provides the "stick" to enforce adherence. Should an entity impose a sanction for every violation? What if the employee wasn't aware that he or she was violating a security policy? It is rare to have actual proof that an employee was aware of a violation. An effective sanctions policy should subject an employee to discipline when the employee should have known his or her action (or omission of action) would violate security policies or procedures. "Should have known" typically means the employee acted in deliberate ignorance of, or with reckless disregard for, the requirements of the P&Ps. The "should have known" standard should be familiar to covered entities: it is similar to the regulatory standard to which the covered entity itself is held. #32: Authorization and Supervision (March 25, 2005) Covered entities must implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. The purpose of this requirement is to ensure that all members of the workforce have appropriate access to electronic protected health information and to prevent those who do not from obtaining it. Workforce authorization is an addressable requirement and, therefore, must be implemented unless it is inappropriate or unreasonable and cannot be met through an alternative measure. Tip #20 addressed how covered entities should assess the level of access to be provided to different members of the workforce. Once levels of access are determined, covered entities must establish written procedures for granting and revoking access, changing access when the status of an employee changes, and verifying that a particular user is authorized for a particular access level. The size of the organization will determine the scope and formality of access authorization procedures. Covered entities also must determine whether they need to supervise access to electronic protected health information in order to prevent the misuse of such information. In determining what type of supervision may be necessary, covered entities should identify routine and non-routine handlers of electronic protected health information. Supervision may not be necessary where system access is well-controlled. For example, if specific security parameters or physical barriers control access, a covered entity may not need to be concerned about access by non-routine handlers, such as maintenance personnel. In other situations, the need for physical supervision may be eliminated if the covered entity enters into a business associate agreement with a non-routine handler, such as an outside software vendor. Physical supervision of access in non-routine circumstances can be prohibitively expensive. Electronic supervision, such as by use of logging functionalities and active monitoring, offer the potential for long-term cost savings despite the initial costs associated with setting up the electronic system. #31: Protection From Malicious Software (March 21, 2005) As part of their security awareness and training programs, covered entities must consider training employees on procedures for guarding against, detecting, and reporting malicious software. (See Tip #29 for more on security awareness and training programs.) This specification is "addressable," which means that the covered entity must implement it unless doing so would be inappropriate or unreasonable and the purpose of the standard cannot be met through an alternative measure. In popular usage, this specification refers to training on the use of anti-virus practices. (Technical users will be quick to note that "malicious software" includes not only viruses but also worms, trojan horses and bombs, among others.) Although anti-virus computer programs (widely available) can provide first-rate protection against malicious software, even the best programs are a half-step behind the viral programmers and, in any event, are dependent upon frequent updating to keep virus definitions current and effective. Live individuals are often the last line of protection against a virus infection. Accordingly, individuals who may come in contact with malicious software (via e-mail, sharing of floppy discs, on the web, or otherwise) should be provided with (at least) fundamental training in detecting and handling such software. Basic employee practices such as not opening unverified attachments and not following unknown embedded links can go a long way to protecting an organization from infection. This specification should NOT be confused with the implementation of anti-virus programs themselves. This particular specification concerns awareness and training on employee practices. Whether anti-virus programs should or must be installed at a system level or on individual workstations is a question to be asked under other standards, such as the integrity standard and the access control standard in the "technical safeguards" group. To view HIPAA Tips 1-10 Click Here To view HIPAA Tips 11-20 Click Here To view HIPAA Tips 21-30 Click Here To Top