Archive for November, 2009
- I don’t know
If you’re reading this, sorry you’re on the clock!
Maybe you’d like to take a minute to say what you’re thankful for in terms of your HIPAA compliance team at your facility.
Happy Turkey Day!
– HIPAA Update
It seems as if everyone is talking about encryption these days, and that is certainly the case on our HIPAA Update blog.
HHS added encryption layers in its interim final rule on breach notification to specify the technologies and methods that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” Some of these layers were not specified in draft guidance
HHS released in April.
“You now need to really consider encryption,” says Jeff Drummond, HIPAA blogger and health law partner in the Dallas office of Jackson Walker, LLP. “That’s sort of your first opportunity to avoid breach notification. You can’t do much about your paper records other than destroying them, which eliminates their utility. But for electronic data, you can keep it and use it, but should encrypt so it is considered ‘secured’ under HIPAA.”
In the interim final rule, the definitions for acceptable encryption include:
- Electronic PHI encrypted as specified in the HIPAA security rule. This includes “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
- Valid encryption processes for PHI in databases consistent with National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
- Valid encryption processes for PHI flowing through a network, including wireless, that comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; 800-113, Guide to SSL VPNs; and others validated by Federal Information Processing Standards 140-2.
Q. Returned mail for a patient account is sent to a business associate (BA), who looks for another address or guarantor. Sometimes, the people at the new address the BA gives us call to say they don’t have children or a medical bill with us. Is this a HIPAA privacy breach?
A. You should take appropriate steps to ensure that a new address is correct before sending PHI to that address. The BA should try to contact the patient or guarantor by telephone, using telephone numbers you have on file, to determine the correct mailing address.
Editor’s note: Angela Mitchell asks the question in the title of this blog post. Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
Covered entities and business associates can protect themselves against the dangers of unsecured social networking Web sites and communication practices by taking a hard stance against them, experts advise.
You can protect your organization by investing in communication devices such as BlackBerry® smartphones and banning sites such as Facebook and Twitter from hospital computers, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.
Education is essential, and it must be specific—it’s no good if it’s vague, he says.
Use these four models together to educate employees and protect your facility:
- New employee training (i.e., orientation)
- Annual refresher training
- Security reminders (e.g., weekly helpful e-mails, information in the hospital newsletter, messages that flash on staff member computer monitors)
- Communication policy: During annual staff member performance reviews, require staff members to acknowledge in writing that they have read and understood the policy
Teach clinical staff members to adopt the habit of texting messages that express urgency without including PHI. For example, write “Call me” or “I have an important message and I’m going to leave you a voicemail.” Then, if you lose information, you’re not losing anything that’s personally identifiable.
Editor’s note: This is an excerpt from an article in the November edition of the HCPro, Inc. newsletter, Briefings on HIPAA.