The HIPAA Security Rule is the most important and challenging undertakings for both medical and dental practice. In this post, I will illustrate why and how a HIPAA Compliance kit are ineffective.
HIPAA Compliance kits fall short of satisfy HIPAA Security Rules
Securing Protected Health Information (PHI/ePHI) is not a “one person” job or DIY job. As a matter of fact, it’s an impossible job for one person to go at it alone even if they are using a DIY kit purchased form the Internet. Try searching “healthcare data breach” in Google News and you’ll be surprised to find a long list of reported incidents as recent as the past few months. Results as such are indicative to the monumental task many highly trained IT administrators are commissioned with.
Given the climate of rising enforcement of compliance with The Health Insurance Portability and Accountability Act (HIPAA) going at it alone could compromise the effective management of risk and risk mitigation. Reducing risk is the objective of implementing security measures. I hope to provide clear understanding as to why a DIY approach is very shortsighted approach and should be reconsidered when foregoing HIPAA compliance.
Today, many online sites offer HIPAA compliance kits. You can purchase one for as little as $100 and as much as $1000. Some even offer support and a number you can call to speak with a real person to walk you step by step. These DIY kits do very little to nothing for implementing actual security measures that truly comply with the HIPAA Security Rules. In my humble opinion they are a waste of money and time.
Let’s review at a few sections of the HIPAA Security Rule that make it almost impossible to go at it alone. DIY kits have no chance at all to truly cover or help an inexperienced person to attempt to meet the requirements of these sections. These are the 5 HIPAA Security Rules that make it impossible to successfully implement using a DIY kit.
1. Evaluation (§ 164.308(a)(8))
Section 4.8 of the National Institute of Standards and Technology publication 800-66 Rev. 1 states:
“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart”
The key activity of this section is evaluation. This includes penetration testing from the inside of your network environment and the outside. To help you determine the best course of action you may ask yourself these two questions:
– Which staff has the technical experience and expertise to evaluate the systems?
– How much training will staff need on security-related technical and nontechnical issues?
The key to these question is security related experience. The DIY kits, although they don’t tell you, are assuming the person using the kit has IT security knowledge. Without security knowledge, fundamentally it will be difficult to satisfy this requirement.
2. Facility Access Controls (§ 164.310(a)(1))
This section states:
“Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”
As the section implies, facility access controls relate to the physical security of the location. The assistance of a security alarm vendor could help with fulfilling the requirements of this section. Securing the physical location is not the only item in this section, securing peripherals equipment is also an obligation. The most recent breach involved an enterprise business copier machine that was connected to the network. Records that were stored on this machine where lifted from the stored cache.
There is no chance a DIY kit could assist in pleasing this requirement. Understanding how to secure peripheral equipment such as business copying machines is contingent to the experience and security knowledge level of the individual or company. IT security consultants are best suited to developing strategies to satisfy this obligation.
3. Workstation Use (§ 164.310(b))
Section 4.11 states:
“Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”
This section focuses on taking account of computer systems. The job at hand is taking detail inventory of the computers in the office. This includes location, security and inventory of every software installed on the computer, which includes version build of each software. Undoubtedly a DYI kit will not be able to address this section. IT Security Consultants use specialize software to accomplish this task.
4. Workstation Security (§ 164.310(c))
Section 4.12 speaks to workstation access controls. Most offices have some sort of access policy such as each user has a username and password to access the computers. This section states:
“Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”
To help determine if the DIY kit can meet this objective here are a few questions you may ask yourself.
– What are the options for making modifications to the current access configuration?
– What safeguards are in place, i.e., locked doors, screen barriers, cameras, guards?
– Have employees been trained on security?
HIPAA security consultants have the knowledge and experience to streamline the gathering of information to help develop the policy and procedures that is best suited for the individual practice. Cookie cutter solution or one size fits all compliance kits cannot and does not assist in meeting this requirement.
5. Device and Media Controls (§ 164.310(d)(1))
Section 4.13 addresses data backup and storage. Here is the official language of this section:
“health information into and out of a facility, and the movement of these items within the facility.”
In my opinion this is the most important section of the HIPAA Security Rule. This section addresses how your office is handling and securing media devices that stores data. Essential referring to backup data. A few key points that need to be addressed in this section include:
– Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
– Assure that EPHI is properly destroyed and cannot be recreated.
– Ensure that an exact retrievable copy of the data is retained and protected to protect the integrity of EPHI during equipment relocation.
This section calls for strategy. An experienced IT or security consultant could assist in addressing this section. The importance of section 4.13 is to reduce risk. DIY kits fall short to meet the requirements of section 4.13. Experience and expertise are the main drivers to accomplishing compliancy of device and media controls.
HIPAA compliance should not be taken lightly. Working with a security consultant to develop the proper strategy to attain HIPAA compliance has its benefits. By adhering to HIPAA the practice is adhering to a higher standard of security. The side effect is a highly secure medical or dental practice. Becoming compliant just for the sake of being compliant is the wrong approach. DIY kits are for those who just want to check the box and claim compliancy. HIPAA Security Consultants, such as CheckupTech, utilized many tools and industry experience in security to address each section of the HIPAA Security Rule. I hope to have provided a clear understanding as to why a DIY approach is very shortsighted approach and should be reconsidered when foregoing HIPAA compliance. Save time and save money, seek expert advice.