Security

I recently called a general practitioner's office to schedule a complete physical exam. I would be a new patient at this doctor's office. They asked me to come in 30 minutes before the exam to fill out paperwork regarding my medical history. I was concerned that I would not know all the information requested about my family's history with diabetes, cancer, etc., so I asked them to fax me the forms so I could consult with my family prior to the appointment. The receptionist told me that under no circumstances could she fax me the forms because it was against HIPAA regulations. I fail to understand how a blank form, faxed to my private fax in my home, could be a security or privacy issue. Can you tell me whether or not this is true?
The information you supplied in your email does not identify a HIPAA violation. The physician office practice may have developed a policy to not fax information to patients in response to HIPAA but that would simply be their policy and not an actual HIPAA regulation.  (Posted 11/14/03)

We are a little confused about the sharing of passwords. Is it ok to give our computer passwords to our dept. manager or director? Or should only someone in IS have access to it if necessary?
It is not secure to share your password with anyone. Managers many times need access but they can have access to this by assignment of an overriding password. This is the best way to handle this situation so that you always know that when you put your password into the system it links only to you and therefore anytime it is used you and your organization can be assured that the password involved your input, viewing, etc. (Posted 7/10/03)

My company manufactures a piece of computerized equipment used in physical capacities assessment (agilities testing) facilities. The software requires user name/password access by default using an admin user name and password which my customers almost universally do not configure for individual employees. All their employees typically use the admin login to access the data. Is this something that I will have to admonish my customers for doing if they wish to be compliant?

In addition, we provide support for this equipment by remote telephone connection. The software in use does not have any form of encryption. The only “encryption” there is the normal modulation/demodulation of the 56k modem. (The stupid thing is that a modems modulation/demodulation can be in fact considered encryption under the DMCA, which apparently does not delineate the difference between strong encryption and trivial encryption mechanisms. Pig-latin as an example of being a trivial encryption is nevertheless considered encryption protected under DMCA.) Anyway, my company connects to the server by modem and performs maintenance, occasionally having to diagnose report printing problems by viewing them to the screen, or repairing a workers client file by downloading it to our office and uploading it back when repaired a few hours later. The files are access and repaired usually without ever running the application and without requiring any form of login other than the required modem software protocol which implements a trivial global password. The modem software allows only one user name/password and does not have any form of encryption above its own protocol and is shared by all our support personnel when we provide support. Is this an issue under HIPAA that must be addressed?

Lastly, the software saves the client files to disk in an unencrypted way that anyone with a little DOS knowledge could copy off to a floppy disk drive. The operating system is an embedded DOS which has no inherent security of its own. The system is designed around a custom peer-to-peer physical network protocol that links each workstation to another workstation in the system but which cannot link to the internet or Windows machines. Would either of these pose a problem under HIPAA?
I don’t believe that you would be classified as a covered entity under HIPAA, by definition. You don’t actually transmit any of the standard formats, and I don’t believe you store protected health information, based upon your description.

You will, however, probably be asked to sign a business associate agreement for many of your clients. This document will certify your intent to protect any and all protected health information, either by your staff or others, as well as indicating that you will not disclose protected health information to any other persons or entities. (Posted 5/15/03)

I have a small medical transcription company. I am very overwhelmed with all of the information out there. Could you please let me know the BASICS in regards to regulations? I have three subcontractors and one courier. They pick up tapes from the doctors' office, type them, and E-mail them to me. I proof-read them and print them and deliver them to the doctors' office. Sealed envelopes for picking up tapes and delivering work? Patient confidentiality statement from subcontractors and courier? Is a firewall necessary?
Providing you with the HIPAA basics is a tall order so I’ll try to focus on your questions. But first you must decide where you fit into the HIPAA mix.

Sealed envelopes for deliveries and pickups are a great idea. What is done with the old tapes or documents which may be produced? Are you destroying all PHI that does not go back to the doctor’s office? The subcontractors can either be treated as your employees or business associates and either way should be protecting PHI. Are the computers dedicated to transcription services only?

You should also remember that email is never 100% secure and should take steps to protect this information such as firewalls and encryption. (Posted 5/15/03)

Where in the HIPAA Regs is there anything mentioned about shared workstations? We are a large provider clinic with a Physical Therapy Center (OHCA) where several PTs share one common workstation. They use this periodically to check their schedules and sometimes to view PHI on their patients. They do not want to have to be constantly signing on. I believe their is no way around this, since there must be an accurate audit trail. But, if they have view only, as opposed to update access, would it make a difference?

There are also a few other areas where more than one person may share a workstation. All have separate sign-ons for the specific applications, and most have their own individual accounts for the network. However, we are finding that once a user signs on the other users may be using the system under their sign-on. We do have time-outs that will knock them out of the applications, and everyone should be using a password protected screen saver. But, they are obviously sharing these passwords. Unfortunately, a Single Sign-on product is not in the picture at this time.

Any light you can shed on this is most appreciated.
I would like to give you a definitive answer but with much of HIPAA a clear cut answer is not supplied. HIPAA does address workstation use in both the Privacy and Security Rules. I tend to look at what should be done with what harm can be caused. Sharing passwords is not a secure process. When employees leave the password is now unsecured and you are open to liabilities. Security as well as privacy education is a requirement and password usage should be discussed in these venues. Policies and procedures should address these issues and sanctions applied when not followed.

View only access vs. updating capabilities does not protect the privacy of protected health information. Security and privacy may cause extra steps but it is worth it to all of us and your patients will expect the highest level your institution is capable of producing. (Posted 5/15/03)

Do you think it is necessary to do the following to effect data security in a large behavioral health network? These steps are being recommended. I think it is overkill. Please advise.

  1. disable all floppy disk drives at all workstations
  2. disable all cd drives at all workstations
  3. disable all internet download capability at all workstations disable all control panels at all workstations (so that users can not reverse the auto log out feature)

In many ways, this is a organizational call on whether to allow internet and computer capabilities of the workstation. .

I have seen these same things carried out at many organizations and it provides less field calls for information technology call desks, and in some measures, a higher form of security for the organization with less surfing of the internet, and less chance of viruses attacking the workstation. Even disabling the CD and floppy, viruses may be transmitted over the e-mail network, so anti-virus is required on EVERY computer. I feel these measures can be overkill and provide only limited protection, while giving limited use of the workstation. However, from an IT perspective, most workstations do not require the use of the floppy or CD-Rom or internet usage. But I feel the best way to control this is with policies and procedures and training of your personnel. Many times I have seen where management can surf the internet, but not the workers. Will it encourage work productivity of employees to be able to use the internet? Will allowing management to have internet capability add a have and have not attitude at your organization?

As I stated, these are organizational decisions that should be made, allowing or not allowing these capabilities. (Posted 5/15/03)

If I download unencrypted PHI over an ordinary telephone line and modem, is this considered dedicated for HIPAA? Or is this a violation of the rules and regulations.
If PHI is going to traverse over phone lines, then it should be encrypted. That said, dedicated can mean many things, from one entity to another entity that is part of your same organization or you have a direct working relationship with the other entity (and there is little possibility of interception), then that could be considered a dedicated phone line and would be acceptable. But to simply download information over a phone line would not be considered dedicated.

Dedicated is usually referred to as a direct link from one network to another, if you are dialing direct from one modem to another computer, this would be close to dedicated, but does not completely fit the definition of a dedicated line. As you can see, the semantics involved are not easily traversed with HIPAA and each area must be looked at carefully. At any point that PHI will be traversing phone lines, e-mails, etc., then encryption should be used.  (Posted 5/15/03)

My company is about to launch an encryption product and would like to know the process for having a product certified as HIPAA-Compliant. What costs are involved? Who test these products? What do we need to provide to certify our product? What is the time frame involved with certifying a product?
Software can't really become HIPAA compliant; although you hear many people say this. It must become as compliant as possible, by having proper security of signing on, logging and auditing capabilities and proper security installed and used by the user. There are 3rd party companies attempting to "certify" software through out the United States. Beacon Partners has reviewed software for complaint aspects and given assessments to several software companies and entities.

I suggest that a complete review of practices, software capabilities and compliancy be conducted by working with a 3rd party HIPAA consultant to deal with all the nuances regarding risks levels, scalability, etc., in reviewing your software for HIPAA issues and concerns. (Posted 5/15/03)

I would like to get some information on the proper disposal of MRI, CT, PET, etc.. imaging films. Please advise as to where the information can be found or who I could contact to obtain the approved guidelines.
The proposed security regulations state that patient health information (PHI) must be protected and disposed of properly. Several hospitals we have assessed have dealt with this problem with large industrial shredders, while others have contracted with companies that incinerate their PHI. Either way is acceptable and placing them into the trash without destroying would be a violation of patient confidentiality. (Posted 5/15/03)

The draft HIPAA Security Regulation has an item under access control for - Emergency access procedure (see excerpt below from the policy).

We were wondering what would constitute compliance?

(c) Technical security services to guard data integrity, confidentiality, and availability (the processes that are put in place to protect information and to control individual access to information). These services include the following requirements and implementation features:

(1) The technical security services must include all of the following requirements and the specified implementation features:

(i) Access control that includes

(A) A procedure for emergency access (documented instructions for obtaining necessary information during a crisis)
Information must be minimized to those without a need to know and is what this part of the proposed regulations is trying to achieve.

There are several ways that this can be accomplished:

1. Can your medical application software limit users by what areas they normally have access to and not other areas? (A doctor will only have access to a patients information that is currently one of their patients).

2. A doctor requiring access could call the help desk for access. (Problems arise when your help desk is not 24 / 7 or when the need to see a patients information is imminent, such as in an emergency room).

a. Solutions to this kind of situation would be:

i. A 24 / 7 help desk

ii. An envelope with a "all user" access to the system that is sealed until needed, once accessed, this user would be modified by changing the password

iii. Employees are allowed to access all areas of the system, with the understanding that the applications has the capability of logging who accesses specific areas or modules and personnel are not to access areas they do not have a need to know.

3. This last solution is one I have seen at several hospitals. All activities are logged and then the logs are audited on a routine basis and situations are investigated where an employee has accessed records that they do not have a need to know. The problem with auditing logs is the need to consistently read volumes of logs. There are software solutions to assist with this kind of activity and some of the software applications can alert administrators when areas are accessed by personnel, they do not normally have permissions to access.

4. Further, a procedure should be developed that states what your organization has decided is the best way to provide emergency access to information. This may be one of the above solutions or simply that the IT administrator is on-call and will provide access to the employee. (This would work for a health plan or for non-emergency care and not for imminent care that must be provided). (Posted 5/15/03)