Frequently Asked Questions About Security
What disciplines within health departments are being used as security officers?
Q.
What disciplines within health departments are being used as security
officers?
A. The most common disciplines being utilized within local health departments
are Information Technology (IT) professionals as these duties involve
maintaining security of electronic patient data and adherence to the Security
Rule.
Q.
Is there a Division of Public Health security consultant available to
locals to assist with technical security issues such as firewalls and
encryption?
A. No
Q.
Is there a document available that states that computer software needs
to be remediated in order to be HIPAA compliant?
A. The HIPAA EDI regulations indicate that standard transactions will
need to be in the required format in order to be transmitted electronically
and processed. The EDI regulations can be found at the following website:
http://aspe.hhs.gov/admnsimp/Index.htm
Q.
What should be done to protect PHI and individually identifiable health
information on computers when staff participates in "virtual offices"
or home/community based work environments?
A. The situation of employees working out of their homes is a challenging
one as the covered entity is responsible for protecting and securing all
of the protected health information they own. The issue is affected by
the Privacy Rule and the Security Rule.
As stated in the Privacy Rule, the covered entity is responsible for the receipt, transmission, and storage of the individually identifiable health information (IIHI) to protect the client.
The Security Rule details how this information must be secured in a technical way when it is on a computer or network.
Collaboration between covered entity and Information Technology (IT) staff will be required to accomplish some of the security safeguards on home based computers. Obtain a copy of the Security Rule from http://aspe.hhs.gov/admnsimp for yourself and your IT staff so you can become familiar with what will be expected. Much of the information in the Security Rule is very technical and will require involvement of your IT staff. The rule does not address the extent to which a particular entity should implement the specific features. Instead, it requires that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements. Inherent is balance between the need to security health data against risk and the economic cost of doing so. Health care entities must consider both aspects in devising their security solutions. The proposed Security Rule recommends all organizations that handle IIHI, regardless of size, should adopt the following set of technical and organization policies, practices, and procedures described below to protect such information.
Organizational Practices
- Security and confidentiality policies
- Information security officers
- Education and training programs
- Sanctions
Technical Practices and Procedures
- Individual authentication of users
- Access controls
- Audit trails
- Physical security and disaster recovery
- Protection of remote access points
- Protection of external electronic communications
- Software discipline
- System assessment
Issues to consider for home based personnel:
- Protected passwords
could be set up on home computers so that other family members can not
log on to the employee's usage of the computer. If Microsoft Windows
is used as the operating system, features are built into Windows and
to allow for this to be set up easily. If the employee is unfamiliar
with this feature, someone from your IT staff should visit the home
site and set this up. If other operating systems are used, someone from
IT would have to be familiar with the operating system in order to accomplish
secure access. If that is not possible, your agency could have a policy
that it would only support certain types of operating systems.
- Each family member
should have a separate email account and should not share email accounts.
This would prevent other family members from viewing emails that have
been sent by the employee or employer that may contain PHI.
- Identify email
accounts being used. Internet accounts do not always have encryption
to protect the information sent via email. If private internet providers
are being used, your IT staff may want to contact them and discuss some
form of encryption to protect the PHI as it is sent over the internet.
These email providers maintain servers where the email account resides
and the PHI needs to be protected from unauthorized viewing and access
by unauthorized people.
- Identify how home
based employees are storing PHI at home. Is it stored on the hard drive
or diskettes? Also, is it a duplicate of the information sent to the
employer? How are paper documents stored? Policies and procedures would
be required for home based employees for these concerns.
- Another situation
to consider is what to do when the employee no longer works for the
employer. Policies and procedures would be needed to address these situations.
- Employees should
sign confidentiality statements. Additional clauses could be included
for home based employees to ensure that the employees were aware of
their responsibilities for protecting PHI at home regardless of whether
it is on paper or the computer.
- Employees should
have training on the privacy and security policies and procedures.
FAQ Home Page Electronic Data Interchange (EDI) General Topics Provider Identifiers Privacy Training