The Office for Civil Rights has revealed the top areas of interest on its HIPAA privacy and security compliance radar.
Adam Greene, former senior health information technology and privacy advisor at OCR and now partner at the law firm Davis Wright Tremaine in Washington, D.C., recently discussed each hot topic with HealthLeaders Media.
Hotspot: Incident detection and response (OCR’s top issue)
Greene: I recommend both a top-down and bottom-up approach. From the top, covered entities and business associates should evaluate whether they are reasonably logging system activities and reviewing those logs in a way that is reasonably likely to detect impermissible uses and disclosures.
From the bottom, covered entities and business associates should ensure that all staff who have access to PHI are reasonably trained to be able to spot an impermissible use or disclosure and report it to the appropriate person (since the HITECH Act makes clear that the entire organization is treated as knowing of a breach if anyone, other than the person who committed the impermissible use or disclosure, knows of the breach.
Hotspot: Review of log access
Greene: No entity can review every instance of access. The key is how to reasonably spend your limited resources in a way that will best identify problems. This generally should include looking for patterns of unusually large access by an employee and paying special attention to high risk areas such as access to patient records of VIPs.
If appropriate for your organization, this may also include more sophisticated algorithms, such as comparing patient addresses and employee addresses to detect potential cases of neighbor snooping by employees, or looking for access that is unusual for a department (e.g., a labor and delivery nurse looking up a male patient).
There is no one-size-fits-all answer, but covered entities and business associates should document what options they have considered and how they concluded that their approach was reasonable.
Hotspot: Secure wireless network
The May 2011 OIG report regarding CMS oversight of the Security Rule is helpful here, highlighting a number of vulnerabilities in wireless networks that the OIG found when auditing hospitals. For example, OIG found hospitals where no authentication was required to access the network or where there was an inability to detect devices intruding on the network.
For smaller providers, it may be less complicated issues, such as ensuring that encryption is turned on, and that the administrative access to configure the access is properly password protected.
Hotspot: Management of user access and passwords
Greene: Covered entities should ensure that there are policies generally prohibiting the sharing of user IDs, systems are configured to require strong passwords when accessing higher-risk information and to require changing of default passwords, and that access to administrative accounts is closely controlled.
Hotspot: Theft or loss of mobile devices
Greene: Good policies and training on safeguarding mobile devices is a good first step. But, no matter what administrative steps are taken, mobile devices will get lost or stolen. Accordingly, I would highly recommend encryption of such devices and trying to maintain PHI centrally, whenever possible (rather than storing PHI on mobile devices themselves).
Hotspot: Up-to-date software
Greene: Covered entities and business associates should ensure that patches that address vulnerabilities are pushed out to workstations [regularly] and should consider whether an upgrade to software or an operating system is necessary if that version is no longer supported by the vendor. Of course, it is also imperative to keep anti-malware software up-to-date.
Hotspot: Role based access – lack of information access management
Greene: Staying on top of role-based access is always challenging. If standards are too lax, there are significant security risks. If standards are too tight, then patient safety may be jeopardized due to unexpected situations in which an employee needs legitimate access to information but does not have the needed access level. A closely monitored break-the-glass solution may help remedy some of the concerns.