HIPAA Security for Minnesota Medical Companies

by | May 14, 2019 | Blogs | 0 comments

There are a lot of medical companies in Minnesota. We’ve all heard of the big ones, Mayo, Fairview, Allina, and the Minnesota based medical device company Medtronic. But in addition to all these large companies, there are thousands, of small and medium-size medical companies in Minnesota. 

Being a medical company is almost synonymous with ‘HIPAA’. The need to comply with the Health Insurance Portability and Accountability Act. What does this mean to the information and cybersecurity requirements and controls for these Minnesota businesses? 

In brief, every effort needs to be made to secure and ensure the privacy of patient health records. If you can do that, you’re pretty much there. The only other things you’ll need to do is provide some communication and processes to fully comply with the requirements.  

The general rule is that patient healthcare information cannot be shared without the patients written authorization. 

The only exceptions to this general rule are under two conditions:

1. Treatment, Payment, and Operations (TPO): If the information is required by treat patients, collect payment or perform routine healthcare operations. This means doctors, nurses, lab specialists and other professionals that need it to perform their role of care can share these records. 

2. Law Enforcement: When specific requirements are met, patient information can be shared with law enforcement officials. The justifications include preventing or lessening a threat, evidence of a crime, alerting on the death, responding to emergencies. 

Simple in summary, but in reality what does this mean?

Let’s start with what qualifies as ‘patient healthcare records’. HIPAA jump-starts the process by helping define what Personal Healthcare Information or “PHI” is. They have identified eighteen ‘identifiers’.

What are the eighteen HIPAA PHI identifiers?

  • Name
  • Address (all geographic subdivisions smaller than the state, including street address, city-county, and zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security Number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or license number
  • Any vehicle or other devices serial number
  • Web URL
  • Internet Protocol (IP) Address
  • Finger or voice print
  • Photographic image – Photographic images are not limited to images of the face.
  • Any other characteristic that could uniquely identify the individual

The transmission or storage of patient records that contain any of identifies need to be protected in accordance with HIPAA regulations. 

How must these records be protected in accordance with HIPAA?

The regulations can go into greater detail, and how this is applicable to your individual business may be unique, but below I will attempt to summarize how you need to protect these patient records. 

1. Least Privilege

In cybersecurity, we’ve always played by the rule of ‘least privilege’. These means only grant access to the people who are required to have it to fulfill their role within the company.

In addition, only give there account the required privileges required to fulfill that role. That means that if the user role doesn’t need to create records, assign them ‘read-only’ rights to the system. 

HIPPA as adopted this principle security principle. Only allow users that require access to PHI to have it. And within those roles, only provide privileges to access the required information, and modify the information required. For example, if a front desk receptionist needs to access client patient records to check them and print their chart, review the data needed to complete this role and assign the appropriate privileges. 

2. Administrative Safeguards

Within the HIPAA regulations, they outline several sets of ‘safeguards’. Safeguards are protections that are put in place to reduce the risk of something happenings. Think of guardrails on a mountain road turn. They ensure that even if something goes wrong with the driver (user), the guardrails will help reduce the risk of a death occurring (PHI being exposed) as a result. 

The first set of safeguards are ‘Administrative’. This set of safeguards focus on educated, training, process development, and the recording and attestation. 

Some of the individual safeguards for the Administrative of PHI are:

Acceptable Use Policy: This is a written guide that is provided to everyone that works with patient records and explains the ‘how’, ‘and ‘when’. It needs to explain clearly and enable employees to make diligent decisions on when they can share patient records, how they can appropriately and securely share those records. 

Sanction Policies: This written document covers the disciplinary actions of not complying with the policies and regulations. It addresses how to handle and respond to violations. It’s essentially a written approval by leadership to do what is required to maintain patient privacy even if that means ‘improvement plans’ and employee termination. 

Information Access Policies: Granting appropriate access to software programs, 

Security Awareness Training: Training, password updates, 

Contingency Planning: Policies and procedures put in place to respond to an emergency. These might include Fire, Vandalism, Emergency Response Plan

3. Technical Safeguards

Think of technical controls as an actual ‘preventative’ control, not just a policy or statement. 

Where a written policy may say that you should not drive through the entrance unless you have a required reason. A technical safeguard will physically prevent this action. Think of a secure metal gate that ensures users actually can’t drive through until they prove you’ve been granted permission. 

These technical safeguards outline important technical security controls that are expected in any business environment including:

Encryption: Data at rest and in transit should have encryption to prevent the data from being read in clear text. 

Backups: Data should be backed up and made available for restoration int eh event of a system outage or unavailability. 

Transmission controls: Prevent PHI from being read and accessed while being moved from a source to a destination. 

Destruction policies: An adequate and safe way to destroy patient data that is no longer in use or required for retention in a way that it can not be pulled out of the garbage and read. For technical systems, this is often a destruction process that involves the shredding of hard drives, or secure delete process. 

4. Physical Safeguards

This section covers the safeguards preventing the exposure of PHI by physically seeing it, touching it, and walking away with it. Think of physical paper files, hard drives, and on-screen displays. 

These controls will center around accessing monitors, walking way with computers, and opening files systems with paper or other physical records. These controls include:

Access Controls like RFID, PIN, or badge systems that prevent and limit access to areas that can have access to PHI. 

Monitoring Controls like surveillance systems and alarms. These can be used for visibility on who and when is accessing systems. and in the event of an investigation provide evidence. 

5. Partners (Omnibus Rule)

There is a section of HIPAA that outlines who and when you can share PHI with other organizations. If you need to share PHI with a partner organization than this partner organization needs to comply with certain parts of the HIPAA regulations.

Business Associate Agreement: To appropriately share information with a partner you should have an agreement that clearly documents the why, who, and when of the information and how it will be used and protected by the partner. This document is really a liability agreement that if the partner discloses the patient PHI, they will also be the responsibility for the penalties associated. 

6. Notice of Privacy  Practices (NPP)

A document that is provided to patients that informs them on how their PHI will be used by the healthcare practice.  It also covers the patients right to access the information, and instructions on how to amend the data. 

In addition to providing the NPP to patients, every attempt should be made to get written confirmation the patient has received and agreed to the NPP. 

7. Roles

Healthcare practices that are a covered entity under HIPAA are required to designate a Privacy Officer and Security Officer. These can be separate people, or one person can fulfill both roles. 

Need to provide the duty and responsibility of enforcing these rules and policies for the healthcare practice. 

Summary

I’ve always had the security mindset that if a good information security program is implemented then you don’t need to worry about regulations. I hate to admit, but HIPPA is the exception. The reason is that the requirements expand beyond cybersecurity controls. It reaches as far as to partner agreements, and NPP’s being placed in patients hands. This role and responsibility is bigger than information security program itself and requires coordination and partnership across the business. 

If the right people from the business can be brought to the table and the vast responsibilities can be delegated and coordinated, a successful program can be put in place to satisfy the HIPAA regulations. More important, as security practitioners, we never do this for ‘regulation’ purposes. We do this because we care. We care about peoples privacy. We care about confidentiality. I think HIPAA has done a really good job at defining a framework to hold the organization accountable to this the best can. 

Reference:

Here is a summary

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

HIPAA-Roles-in-SecurityDownload
HIPAA Roles Cybersecurity

Submit a Comment

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!