Since the passage of HIPAA back in 1997, and through the Bush Administration flip flop enactment of the Privacy Rules in 2001, DHHS has been relatively low key in its enforcement efforts. They leaned towards education, with a relatively small number of cases nationally being referred to the Justice Department.
Well, things may be revving up. DHHS has hired the accounting and consulting firm of PriceWaterhouseCoopers to conduct audits of selected hospitals, focusing on the security risks associated with remote access to data and portable storage – such as the laptops that seem to contain data on everyone,
DHHS has long had concerns over the security of computer based patient data. Even back in the late 1990s, with the dawn of the Internet era, officials were expressing concerns about the security of data against hacking and other kinds of security breaches. Their concerns are realistic, and we see them in how we need to handle email with patients, e-prescribing and so on. The department has expressed concern about the off-site maintenance and storage of
Here’s the takeaway: DHHS is well aware that “There have been a number of security incidents related to the use of laptops, other portable and/or mobile devices and external hardware.” Individual covered entities, such as practices, have discretion when to allow
- Risk analysis and risk management strategies;
- Policies and procedures for safeguarding EPHI;
- Security awareness and training on the policies & procedures for safeguarding EPHI.
In English: look at the vulnerabilities, develop policies and procedures specific to offsite use and vulnerabilities, and train, train and train. Oh, and document. If it ain’t written, it didn’t happen.