HIPAA Update: Federal Agency Issues New Guidance Regarding Remote Access Security Measures
From Venulex.com
The HIPAA Security and Privacy Rules require all covered entities – including employer-sponsored group health plans– to protect electronic protected health information (EPHI) that they use, access, or disclose. The Department of Health and Human Services (HSS) and Centers for Medicare and Medicaid Services (CMS) (the agency within HHS charged with enforcing the Security Rule) have become increasingly concerned about the number of security incidents involving laptops and other portable data storage devices.
Under the Security Rule, covered entities must implement reasonable safeguards to protect EPHI against security incidents. Security incidents include events of improper access to EPHI such as (i) stolen or lost laptops, PDAs, and CDs that contain enrollment information, (ii) intercepted e-mails that contain claim information (e.g., when a human resources professional uses a wireless network to send electronic mail messages when outside the office), and (iii) health data retrieved from improperly discarded obsolete hard-drives or disks. Such incidents will occur more often as use of information technology increases.
In response to the rapid growth in the use of wireless devices to transmit information, CMS recently issued guidance outlining strategies for safeguarding for EPHI that is accessed, stored, and transmitted by covered entities. The guidance is especially intended for entities that allow remote access to EPHI (through the use of laptops, home computers, PDAs, or other portable devices).
According to the guidance, offsite use of and access to EPHI should be limited only to those circumstances where such offsite use or access is necessary. Circumstances under which CMS thinks offsite access might be necessary include (a) a home health nurse collecting patient data via a laptop or PDA during a home health visit, (b) a doctor, while out of his office, ordering a patient's prescription refill via a PDA, or (c) a health plan employee transporting backup enrollment information on tape or disk to an offsite storage facility, and other instances.
In any case where remote access to or use of EPHI is necessary, CMS expects the covered entity to conduct a risk analysis and develop risk management measures to reduce risks and vulnerabilities associated with the contemplated remote access. The analysis should consider potential risks associated with three key functions: (1) accessing, (2) storing, and (3) transmitting EPHI. The results of the analysis should be used to develop policies (or enhance existing policies) to minimize those risks. The guidance includes a table with examples of specific policy and procedure provisions to minimize specific risks under each of the three activities. See CMS Guidance.
While neither HHS nor CMS have been particularly specific in earlier guidance, this most recent guidance contains fairly specific examples that can be helpful in developing (or improving) your HIPAA security policies, as well as policies for protecting other sensitive information maintained electronically.
From Venulex.com
Copyright © Jackson Lewis.. VenuLex resources are intended for informational purposes only and should not be construed as legal advice.
<p>HIPAA Update Federal Agency Issues New Guidance Regarding Remote Access Security Measures From Venulex.com The HIPAA Security and Privacy Rules require all covered entities – including employer sponsored group health plans– to protect electronic protected health information (EPHI) that they</p>
HIPAA Update: Federal Agency Issues New Guidance Regarding Remote Access Security Measures
/legal_compliance/hipaa_update_federal_agency_issues_new_guidance_regarding_remote_access_security_measures.aspx