HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Author Archive

May
15

HIPAA Q&A: Laptop encryption

Posted by: | Comments (4)
Email This Post Print This Post

Q. A long-term care facility has deployed laptops that connect to a file server and are password ­protected. The laptops are not used to store PHI or other confidential data and are not removed from the facility. Do the laptop hard drives need to be encrypted?

A. No. If no PHI or other confidential information is stored on the laptops and they remain on-site, the risk associated with data loss is minimal. If the laptops are stolen, it would not be a breach of unsecure PHI.

Answered by: by Chris Apgar, CISSP, for Briefings on HIPAA.

Categories : Uncategorized
Comments (4)

By Chris Apgar, CISSP

Some healthcare administrators and executives consider the notice of privacy practices (NPP) another government administrative burden. From a privacy ­perspective, however, the NPP is not a waste of time.

The NPP informs patients how their PHI will be used and that they will be contacted if an authorization for its use is required. It also describes patients’ rights, such as the right to access their medical records and the right to file a complaint with OCR.

Prior to finalization of the HIPAA Privacy Rule ­December 28, 2000 (with compliance required effective April 14, 2003), many of the current privacy rights for patients did not exist. For example, patients’ only recourse for filing complaints related to violation of their privacy rights was their provider or health plan. And there was no guarantee that providers or health plans would make copies of patients’ medical or claims records available.

Is the healthcare industry fully protecting patients’ privacy? Not quite–some gaps continue to exist. For example, the HIPAA Privacy Rule does not require that patients be offered a choice of opting in or opting out of information sharing in a health information exchange. Many exceptions allow information exchange without patient ­authorization; an example is the broad range of activities that fall under the umbrella of public health. One such exchange of data is state public health agencies’ collection of all health plan claims data for all insured persons within a state. This includes public health plans, such as Medicare and Medicaid, and private health plans, such as Blue Cross Blue Shield insurance carriers.

In addition, one failing of many NPPs is that they don’t ­comply with the HIPAA requirement that they be written in plain English. Most seem to be crafted by an ­attorney and are not written in a manner that facilitates patient understanding.

This is an excerpt from the November edition of the HCPro, Inc. newsletter Briefings on HIPAA

Categories : HIPAA privacy
Comments (0)

Q. Please explain in an understandable way for nontechnical individuals the necessary level of encryption for email to be considered secure as defined in the interim final breach notification rule.

A. All ePHI, including email, is considered secure if it is secured at a level consistent with the National Institute of Standards and Technology (NIST). Most NIST documents are not easily decipherable to nontechnical individuals. Several different standards can be used to encrypt data transmitted via email. One common approved standard is the Advanced Encryption Standard (AES). A second, usually used for website encryption and webmail encryption, is Secure Socket Layers (SSL). Encrypting your email with AES or SSL, or another NIST approved standard,  is a good place to start.

The next step is determining the strengthof the mathematical algorithm used to protect, or scramble your data. An algorithm less than 128-bit is not secure. The grater the number of bits, the stronger the algorithm is. Many vendors and healthcare entities are transitioning  to 256-bit encryption. This exceeds the NIST standard, but is worth considering because it provides better protection to  any PHI you transmit via the Internet.
 
The specific NIST standards that address PHI transmitted via ­email are NIST ­800-52, NIST 800-57, and ­Federal ­Information Processing Standards 140-2.

OCR guidance published in an FAQ may be helpful with respect to understanding what is considered “secure” electronic PHI when transmitted via the Internet or email.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Categories : HIPAA Q&A
Comments (0)

Q. Please explain the level of encryption necessary to email to be considered secured as required by the interim final breach notification rule.

A. All ePHI, including email, is considered secure if it is secured at a level consistent with National Institute of Standards and Technology (NIST) standards. Most documents that meet these standards are not easily decipherable to nontechnical individuals.

Several different standards may be used to encrypt data transmitted via email. One common approved standard is the Advanced Encryption Standard (AES).

A second, usually used for website encryption and webmail encryption, is Secure Socket Layers (SSL). Encrypting email with AES, SSL, or another NIST approved standard is a good place to start.

Determining the strength of the mathematical algorithm used to protect or “scramble” your data is the next step. If the algorithm is less than 128-bit, your data is not secure. The larger the number of bits, the stronger the algorithm is. Some vendors and healthcare entities are transitioning to 256-bit encryption.

This exceeds the NIST standard, but it is worth considering because it provides better protection for any PHI you transmit via the Internet.

The specific NIST standards that address PHI transmitted via ¬email are NIST ¬800-52, NIST 800-57, and Federal ¬Information Processing Standards 140-2.

The OCR explains the necessary protections for ePHI transmitted via the Internet or email in an FAQ at http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which first appeared in the April Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Categories : HIPAA Q&A
Comments (0)
Q. Must we keep HIV information separately in the medical record?

A. The HIPAA privacy standards treat HIV information like any other health information. Therefore, there is no requirement to keep information separately, get a specialized release, etc.

That said, many states have statutes that afford special protection to information pertaining to HIV testing or treatment. Since HIPAA is a federal privacy floor, more stringent state laws would apply.

As always, the best way to achieve compliance is to do your best to be sure that patients are aware of what you are doing with their protected health information.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question.

Categories : HIPAA Q&A
Comments (0)