HIPAA ction
HIPAAdvisory > HIPAAction > HIPAAnotes > Archives Phoenix Health Systems



HIPAAnotes Volume Two, April 2002

No. 13 HIPAA Detail: Applying HIPAA Security Audit Requirements

Health care providers have been struggling since the HIPAA security and privacy rules were proposed to understand how to apply the requirements for auditing. This week's HIPAA note discusses security auditing. Next week's note will consider privacy auditing.

The proposed security rule's administrative standards require an internal audit process, defined as a review of the records of system activity like logins, file accesses, and security incidents. The technical sections of the rule require the mechanisms to gather this audit data.

Most health care organizations already have the capability to capture the kind of security data described above. Modern network operating systems typically provide the means to collect log files containing data about login failures and successes, and attempts to access specific files (such as applications or data files of applications that contain health information). Though many organizations have chosen not to implement these features, believing them to be a resource drain, inexpensive upgrades are readily available to offset such problems. Further, most performance problems associated with auditing are the result of auditing too much information. Selecting more refined audit parameters resolves this issue.

Who should conduct the audits? Ordinarily, IS staff conduct these reviews. Examining the login failure log should be a daily task of one member of the security administration team. Examining other logs can be done on a more relaxed schedule, and in fact, many of the patterns to be examined make more sense when viewed on a weekly basis. For larger institutions, forensic software packages can be used to examine the data for patterns and changes in patterns (such as a user who never works at night suddenly logging in at 2 AM).

The best value of the audit process comes with proactive auditing - examining the logs before you are aware of a problem. Waiting until a security breach to examine the logs is a high tech example of locking the barn door after the horse has bolted. The purpose of security is to prevent breaches, not to prosecute them after the fact.

Read an overview of the proposed security rule.

Learn more about the technical aspects of security.

Tom Grove, Director
Phoenix Health Systems

No. 14 HIPAA Detail: YES - Audit for Privacy!

In our last HIPAAnote, we discussed auditing for security - an activity that is explicitly required by the HIPAA security rule. The privacy rule is not as explicit. It prescribes an accounting of some disclosures, but not uses. An audit trail of all record views has great value to the organization, but would not have much value to the patient - because of the large volume of entries - with no context to interpret their appropriateness.

Don't assume, however, that because the privacy rule doesn't explicitly mention auditing, it shouldn't be done. A properly managed privacy audit program is one of the best tools for ensuring compliance with appropriate use and disclosure standards throughout your enterprise.

A privacy audit requires much more specific data than a security audit. The privacy audit requires the ability to track the viewing and editing of specific patient records. This level of audit data is not typically available from network operating systems, and must come instead from the applications themselves.

A few basic principles to help you get maximum value from your privacy audits:

  • First, be PROACTIVE. The purpose of a privacy audit program is to prevent breaches, and to catch violations before they become a serious issue. A regular, ongoing audit program is the answer to catching problems early.
  • Second, be SELECTIVE. Any attempt to examine logs of all accesses of all patient records is doomed to failure. Even if you had the resources, the large volume of data would prevent the patterns from being obvious. Some possibilities:
    • Audit accesses of VIP records
    • Audit accesses of employee records
    • Audit accesses where the employee and the patient have the same last name
    • Audit accesses where the patient has been discharged for more than X days.
    • Audit accesses where the location doesn't match the patient location
  • Finally, be PUBLIC about your audit program. Instead of conducting these audits from a central office, have unit supervisors audit accesses for patients assigned to their unit. They are in the best position to judge appropriate access - and, the more people involved in the program, the more your employees will know about it, and understand that you are serious about protecting privacy. Don't be afraid to let it be known that you have disciplined, or even terminated employees for these violations of hospital policy; publicity for the program will stop more violations than almost anything else you do.

More information on HIPAA privacy.

Tom Grove, Director
Phoenix Health Systems

No. 15 HIPAA Regs -- The Privacy NPRM: The Rules May Change Midstream...

Proposed changes to the Privacy rule, in the works since HHS published its privacy guidance in July 2001, were published last month. The changes, while not as far reaching as some had hoped, still would have impacts on the HIPAA efforts underway at thousands of hospitals, physician offices, health plans, and clearinghouses. The NPRM:

  • Proposes to remove the existing requirement for consent under HIPAA for treatment, payment and health care operations. Patients would be asked only to acknowledge receipt of the notice of privacy rights and practices.

  • Clarifies that a provider could discuss a patient's treatment with other professionals involved in the patient's care without fear of violating the rule if they are overheard, provided that the discussion meets the minimum necessary standards and the provider takes reasonable safeguards to prevent being overheard.

  • Includes model business associate language and gives most covered entities (except for small health plans) up to an additional year to change existing contracts.

  • Proposes that entities must obtain the individual's authorization before sending them marketing materials, while not impairing the ability of doctors and other covered entities to discuss treatment options and other health-related information, including disease-management programs.

  • Addresses concerns that the current rule may have unintentionally limited parents' access to their child's medical records and clarifies that state law and professional judgment govern disclosures to parents.

  • Allows researchers to use a single combined form to accomplish both HIPAA and informed consent purposes, and modifies other provisions to more closely track the requirements of the "Common Rule," which governs federally-funded research.

  • Seeks comment on establishing a limited data set that does not include directly identifiable information but in which certain identifiers remain, with the requirement that disclosure of the limited data set require certain privacy protections from the users of that data.

  • Allows the use of a single type of authorization form to get a patient's permission for a specific use or disclosure that otherwise would not be permitted under the Privacy Rule, eliminating the need for covered entities to use different forms to obtain such advance permission.

  • Clarifies that the rule permits disclosures in certain circumstances for the sale of a covered entity's business, and that a group health plan or health insurance issuer can disclose enrollment or disenrollment information to a plan sponsor without amending plan documents.

  • Excludes releases subsequent to authorization from an accounting for disclosures.

  • Clarifies that covered entities can disclose protected health information for the treatment, payment and certain health care activities of another covered entity or health care provider.

  • Permits covered entities to continue to disclose information to non-government entities about the quality, safety, and effectiveness of FDA-regulated products and activities - such as reporting adverse events related to prescription drug use.

  • Permits broader latitude in using the hybrid entity provisions, and clarifies that protected health information does not include employment records.

Remember, these proposed changes are controversial, not final, and are currently the subject of public comment. You may add your comments by following the directions provided at: http://www.hhs.gov/ocr/hipaa/

More on the Privacy NPRM - including reactions, the full NPRM itself in manageable pieces, and analysis.

Tom Grove, Director
Phoenix Health Systems

No. 16 HIPAA Tech: Coping With Security of Portable Devices

If you've walked around any airport lately, you might think that portable computing devices like laptops, PDAs, and combination PDA/telephones are required for admission to the building. If you've spent any time in a hospital recently, you know that portable computing technology is almost as pervasive there. The boom in portable computing has important implications for security under HIPAA.

The most significant security issue with portable computing devices is physical security. Physical security for hospital-based desktop computers is based on the presence of the device in a controlled environment. But portable devices are generally not physically restricted. Loss or theft of a device containing health information is the most common risk. PDAs and laptops are inviting targets for thieves, and are just as easily lost. If loss or theft occur, access to health information is likely since encryption of hard drives and memory is not commonplace.

Often physicians own these devices, and the lack of organization ownership tends to translate into a lack of control. Physicians add hardware and software to computers that connect to your network, exacerbating your organization's risk. Further, because these machines may be used for other purposes besides the intended medical tasks, such as accessing the Internet, a downloaded virus or spyware application can cause a confidentiality breach.

How do you address these concerns? The first instinct many security professionals may have is to ban the devices. This is not necessarily the ideal approach. Many physicians are using PDAs in conjunction with practice management systems or in managing prescriptions -- legitimate business uses, with benefits to the provider and to the patient. A more practical approach is to require, first, that portable devices be registered with your IS department, and second, that users follow a policy specifying no non-medical uses of the device, virus protection standards for the device, and physical security parameters.

The security rule won't be final for a while, so when should you write this policy? Now. Waiting increases the number of devices for which you must gain control. Establish controls over this security risk now, before the problem grows larger.

Read more:

By Tom Grove, Principal
Phoenix Health Systems


Vol. 02 Archive Index

Go to TOP
HIPAAdvisory.com
Phoenix Health Systems
Copyright 2000-2006. All rights reserved.

HIPAAwareness

HIPAAcompliance

Privacy

Security

Transactions
& Identifiers

E-Health

HIPAA / LAW:
Legal Q/A

HIPAA / SECURE:
Security Q/A

HIPAAnote:
Byte of HIPAA

HIPAAlinks

HIPAAFAQ

Models, Samples
& Templates