Are you are a member of a healthcare organization working with protected health information (PHI)? If so, you need to make sure all communication, storage, and transmission of PHI are HIPAA compliant. But what is HIPAA compliance, and how does your medical practice’s use of technology impact it? By following this HIPAA compliance infographic, you can keep your practice staff educated and prepared.
Are your passwords HIPAA compliant? HIPAA compliant password requirements are an often-overlooked component of an effective HIPAA compliance program. Along with a privacy and security program, strong passwords can go far in protecting sensitive health data.
If you are reading this, there’s a good chance that you (or one of your coworkers) has their passwords and login information on a Post-It note taped to their desk.
While displaying passwords out in the open is unfortunately common in most offices (even the Boston Red Sox are guilty) it leaves you open to data breaches and costly HIPAA violations.
HIPAA Password Requirements
Effective password management is an important part of your HIPAA compliance plan. In order for a password to be considered HIPAA complaint, it needs to meet the standards stated in the Administrative Safeguards section of the HIPAA Security Rule.
PASSWORD MANAGEMENT – § 164.308(a)(5)(ii)(D)
The last addressable specification in this standard is Password Management. Where this
implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must implement:
“Procedures for creating, changing, and safeguarding passwords.”
In addition to providing a password for access, entities must ensure that workforce
members are trained on how to safeguard the information. Covered entities must train all
users and establish guidelines for creating passwords and changing them during periodic
Sample questions for covered entities to consider:
Are there policies in place that prevent workforce members from sharing
passwords with others?
Is the workforce advised to commit their passwords to memory?
Are common sense precautions taken, such as not writing passwords down
and leaving them in areas that are visible or accessible to others?
The HIPAA Security rule mandates that you MUST have some kind of password plan in place but does not require a specific plan. This allows you to develop, with your technology service provider, a plan that meets the needs of your employees and your practice.
How To Create A Secure Password
Here are some basic Dos and Don’ts when it comes to passwords that are complex and HIPAA compliant.
- DO change your system-level passwords (Windows Administrator, application administer accounts, etc. ) on a quarterly basis
- DO change your user-level passwords (email, desktop computer, etc. ) at least every six months
- DO create passwords that meet at least three of the five following character classes:
- Lowercase characters
- Uppercase characters
- “special” characters (@, #, $, %, &, etc. )
- DO create passwords that are at least 8-15 alphanumeric characters
- DO use different passwords for your business accounts and your personal accounts
- DO create passwords that are easy to remember. One way to do this is to create a password based on a song title, affirmation, or another phrase. For example, the phrase might be: “This May Be One Way To Remember” and the password could be: “TmB1w2R!” or “Tmb1W>r~” or some other variation. (P.S. DON’T use either of these examples as your actual password!)
- DON’T share your business passwords with anyone. All passwords should be treated as sensitive and confidential information.
- DON’T write down or store your passwords online without encryption
- DON’T reveal a password in email, chat, or other electronic communication
- DON’T hint at the format of a password (“my family name”)
If you are feeling inspired to update your password plan and policies, please contact us for more information. You can also discover if your company data and passwords are available on the Dark Web with our free scan.
In its March 2018 cybersecurity newsletter, OCR explained the HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.
A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.
What are the HIPAA Rules on Contingency Planning?
HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).
- Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
- Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
- Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
- Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
- Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)
A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems. It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.
A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.
Summary of Key Elements of Contingency Planning
OCR has provided a summary of the key elements of contingency planning:
- The primary goal is to maintain critical operations and minimize loss.
- Define time periods – What must be done during the first hour, day, or week?
- Establish Plan Activation – What event(s) will cause the activation of the contingency plan? Who has the authority to activate the contingency plan?
- Ensure the contingency plan can be understood by all types of employees.
- Communicate and share the plan and roles and responsibilities with the organization.
- Establish a testing schedule for the plan to identify gaps.
- Ensure updates for plan effectiveness and increase organizational awareness
- Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.
How Braver can ensure your Disaster Recovery Plan is HIPAA compliant
With Braver, you can rest assured that your data is safe and secure with our Ready Vault Quickstart: Backup and Recovery Service. Our bullet-proof system not only backs up your data as often as every fifteen minutes but in the event of a server malfunction, it can assume the role of that server, while still performing incremental backups. This means your network is still up while your server is being fixed and parts are being ordered.
To ensure that your data is protected in any disaster, the Ready Vault device encrypts and can archive your data at our off-site data centers incrementally
Please contact us for more information on creating a Disaster Recovery Plan for your business.
Published with permission from HIPAAJournal.com. Source
If you are a member of a healthcare organization working with protected health information (PHI), you need to make sure all communication, storage, and transmission of PHI are HIPAA compliant. But what is HIPAA compliance, and how does your medical practice’s use of technology impact this?
Never fear, Braver is here to help make sense of it all.
What Is HIPPA?
Passed in 1996, the Health Insurance Portability and Accountability Act is a Federal law that restricts access to individuals’ private medical information. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally-recognizable regulations for the use and disclosure of an individual’s health information. Essentially, HIPAA defines the boundaries for use and disclosure by healthcare professionals of patients’ health records.
Why is HIPPA Compliance So Important?
Keeping patient data secure and protected is an essential part of the trust that a patient places in the hands of their healthcare provider. A patient is confident and more willing to seek care if they are confident their data is safe. A healthcare provider that is transparent about their HIPAA compliance will encourage that same level of transparency in patients.
A HIPAA violation, unintentional or not, can be costly for a healthcare provider. Failing to comply with HIPAA regulations can result in fines up to $1.5 million and criminal penalties.
In order to be HIPAA compliant, you must follow the Security Rule and the Privacy Rule.
The Security Rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
The Privacy Rule “requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”
Top 3 Ways Technology Impacts Your HIPAA Compliance
Patient data storage, network security, and digital communications are just a few of the ways that technology functions in the day-to-day operations of a medical practice.
Patient Data Storage
Storage options for protected health information (PHI) are important to consider when maintaining HIPAA compliance. Storage needs will vary, and depend on the amount and type of data that the organization. Healthcare organizations should consider opting for HIPAA compliant data storage options, such as on-premise storage or cloud-based technologies.
Operating on a secure network is imperative to maintaining HIPAA compliance. Network security concerns all methods of transmitting data. This data can be transmitted via email, Internet, or even over a private network, such as a private cloud.
HIPAA compliant email ensures that an email with PHI is delivered securely to the recipient’s inbox. By using a secure email server or hosted solution, all messages sent over the network will be protected. HIPAA encryption requirements for transmission security state that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate”.
Maintaining HIPAA compliance for your medical practice can seem overwhelming at first, but that’s why we’re here! In addition to handling your HIPAA technology compliance, we can assist you with completing any HIPAA documentation or paperwork.
To learn how Braver Technology Solutions can monitor and protect your medical practice please contact us.
Subscribe to our newsletter to have tech tips and tricks sent directly to your inbox!