[ Thursday, March 25, 2004 ]
Shamelessly stealing ideas, part 1
: I get lots of emails on HIPAA items, some good, some not so good. Of those, I’m always on the lookout for new and interesting HIPAA ideas. So, I cull through the inbox and occasionally sift out the nuggets of useful HIPAA info and blog it for you. Of course, I do it so you don’t have to.
Recently, there have been a few things stacking up that I said I’d blog about once I got some time. Now is as good a time as any. These two items are from the Medical Newswire e-mail service from Eli. First, a few steps to HIPAA security compliance. I spend a great deal of time talking about privacy, mainly because it’s here (or almost here if you’re a “small health plan”), but also because there’s still some time left to get your security ducks in a row. Additionally, Privacy really required covered entities to take a hard look at their comfortable ways of doing things and often change them; security will be less of a “turning over the apple cart” type of experience for most. However, you should be starting to think about considering planning to take some action, or something like that. Here are a few hints from the Eli folks:
(1) There are no cookie cutter solutions to security compliance, and there is no predefined set of steps you have to take. Unlike privacy, where you knew you’d have to adopt a NoPP, draft and sign BAAs, and train your workers, almost every facet of security compliance depends on where you are and what you do.
(2) Likewise, there are no technological “magic bullets.” You have to look at what you do, analyze the risks in your operations, determine what you could do and what you can afford, and make some decisions. It’s process, not checklist.
(3) Price matters. Did I mention determining what you can afford? With privacy, you had to do what you had to do; with security, cost is an allowable factor in determining what you are required to do. The good news is that this gives you a great deal of flexibility. The bad news is that you won’t really know if you’ve done enough. Balance is the key, though.
(4) Audit trails are also flexible. How you audit your computer use and vulnerabilities depends on your computer system uses, users, and vulnerabilities. If you have a great many outside accessers to your system, that’s an area you need to watch closely. If your system does not allow outside connections at all, then watch your users. The greatest risk for most entities comes from insiders, but your audit and control procedures should be designed for where your risk is. Think inside and outside the box.
(5) Be selective with your tracking system. There’s nothing in the security regs that requires you to track every user or every log-in, especially if you’re trying to track a business associate’s employees. Target smartly, and retain the ability to check up on everyone. But you don’t actually have to track every ant in the anthill (of course, it sure doesn’t hurt to have all of your employees think
they are being tracked).
(6) Beware of technological Trojan Horses. Although it doesn’t always seem so, almost all hardware and systems are designed to make things easier for users. However, many make things easier for abusers as well. PDAs, tablet computers, and wi-fi connectability can open up a system to great risk, so take extra precautions. And if you haven’t heard enough about camera phones yet, get ready.
(7) Get moving. The security deadline will be here before you know it, and much of what needs to be done is the sort of thumb-sucking, navel-gazing analysis that’s involved when you try to find out what you’re doing and imagine what’s problematic about it. It’s not heavy lifting, but it’s a lot easier to do when you’ve had some time to mull things over. Don’t take so long a rest from all the hard privacy work that you lose your momentum.
(8) It’s not malice, but negligence, that will likely cause you to violate HIPAA. Don’t underestimate the importance of security. That’s how mistakes, and negligent violations, occur. Understand what you’ve got, where you are, what you need, what you can do, what you are doing, and when you’ll be where you need to be.
Most covered entities need a privacy officer and soon will need a security officer. What should their job descriptions be? Again, Eli’s newsletter has some advice:
Sample Privacy Officer Job Description:
-- Develop and formulate policies and procedures establishing standards for privacy
-- Assist in implementing privacy policies and procedures to ensure compliance
-- Initiate and participate in audits investigating and monitoring compliance
-- Chair committee to keep parties informed of current issues in privacy
-- Maintain awareness of laws and regulations through research, study, seminars, etc.
-- maintain a system of management reporting providing timely and relevant information on compliance issues
-- Direct communication efforts promoting understanding of privacy laws, standards, and regulations and consequences of noncompliance through written materials and staff training
-- Ensure mandatory and ongoing education and training programs for staff, especially at hiring, whenever changes are enacted, and periodically.
-- Ensure provision and documentation of training
-- Submit annual report to board
-- Organize and maintain all privacy olicies and procedures
-- Oversee and monitor the implementation of the privacy policies and procedures
-- Recommend revisions to policies and procedures in response to new laws and regulations or new issues or activities discovered in connection with regular operations
-- Ensure that Business Associates have signed Business Associate Agreements and are abiding by privacy policies and procedures
-- Consult with legal counsel as needed regarding HIPAA
Sample Security Officer Job Description:
-- In conjunction with Chief Information Officer, oversee all aspects of information security
-- Coordinate ongoing security risk assessment activities
-- Develop, implement, revise and renew risk management plan as needed
-- Assist in development and periodic review and revision of security policies and procedures
-- Oversee enforcement of security policies and procedures
-- Monitor compliance with security policies by staff, vendors, contractors, and business associates, and report any deficiencies
-- Determine and modify role-based access rules for employees
-- Review and document security incidents
-- Initiate and advise management concerning corrective action following security incidents and cooperate with law enforcement officials as appropriate
-- Serve as security consultant
-- Conduct security evaluations and access audits and advise of necessary revisions
-- Develop educational materials for and participate in staff training programs
-- Monitor advancements in information security technology
-- Monitor changes in standards affecting the information security system
-- maintain knowledge of regulatory initiatives and advise management accordingly
-- Coordinate and review security-related contracts and proposals.
Thanks to Nancy Armatas of Popovits and Robinson, who developed these job descriptions. Of course, these are starting points. You should modify, add to, delete, or adjust as appropriate.
Jeff [6:14 PM]
Blogger: HIPAA Blog - Edit your Template