HIPAA:
HHS Security Guidance Targets Electronic PHI
Published on Mon Apr 02, 2007
Don't let HIPAA breaches trip up your facility.
The Health Insurance Portability and Accountability Act (HIPAA) is on the Centers for Medicare & Medicaid Services' (CMS) radar screen right now, so watch out for privacy lapses regarding protected health information.
The U.S. Department of Health & Human Services (HHS) recently issued security guidance warning providers of "security incidents" involving portable devices that store electronic protected health information (PHI). For example, nurses taking laptops to the hospital to collect preadmission data for nursing home patients could result in the types of problems that the guidance warns providers against.
HHS says it prepared the guidance document "with the main objective of reinforcing" some ways a "covered entity" can protect PHI when staff access or use it outside the organization's "physical purview."
Beware: CMS has authority to enforce the HIPAA Security Standards, says HHS in the document. And it "may rely on the guidance" to determine if the facility's actions are "reasonable and appropriate" for safeguarding residents' PHI. Here's What To Do Facilities can implement simple strategies to prevent laptops and other portable devices from saddling the facility with a HIPAA disaster:
Implement policies prohibiting people from taking home laptops or other portable devices, such as PDAs, or CDs with PHI on them in any form, advises Peter Arbuthnot, regulatory analyst with American HealthTech in Jackson, MS.
Prohibit staff from putting PHI on laptops or hard drives, suggests HIPAA expert Michael Roach, MHSA, JD, partner, Meade Roach Consulting in Chicago. "You can purchase a flash drive that requires a password" to store the information, he says. These hold much more data than a disk and are "on the market now," Roach adds. "They are tiny--you plug them into the USB port of the laptop."
Beware: "If a nurse or other facility staff person were using a non-protected flash drive and it got into the wrong hands, the government could reasonably ask, 'Why didn't you spend a couple dollars more to buy password-protected flash drives?'" Roach says.
Another option: Perhaps the nurse collecting preadmission information at the hospital could transmit the resident-specific information to the facility using a secure portal with encryption, so the data does not remain on the laptop, says Arbuthnot.
In addition to a password protecting portable or remote devices storing PHI, facilities can use a number of strategies to protect PHI, according to the recent HHS security guidance:
• Require use of lock-down or other locking mechanisms for unattended laptops;
• Password protect files;
• Require that all portable or remote devices that store PHI employ encryption technologies of the appropriate strength. Use Secure Connections When Offsite Facilities should have strict IT guidelines about how staff use portable devices or offsite computers to connect to the [...]
