Health optimize

10 boring (but really important) things you should know about HIPAA compliance

Staggering fines are being levied against companies that fail to comply with HIPAA regulations. Here are 10 critical policies to have in place (even if you don't fall under HIPAA).

Legal compliance. If you are like me, those two words elicit a groan. Is there anything less fulfilling than a legal compliance initiative? There is seldom anything cool or flashy about them. The ROI is usually just measured in "risk mitigation," which is difficult to allocate to your team's bonus pool. ("You've done great work this year. For your bonus, we are happy to present you with this envelope full of mitigation. Congratulations."). And whether you are sitting in a room with your lawyers or typing up page after page of policy documents, they are BORING.

But that doesn't mean they are not important.

In the healthcare world, HIPAA & HITECH have been around for a while. It's become a cliché to say that HITECH has given HIPAA teeth. But it's true. Audits have begun. And so have the fines (for large and small companies alike). What follows is a list of 10 sets of policies/procedures that companies falling under HIPAA regulations MUST have. In fact, these are things that all organizations should have anyway. So even if you are not a "covered entity" or a "business associate," you might want to continue reading and not just skip over to the gallery of the Sexiest Costumes from Comic Con.

If you have these documents in place, that's great. You may find that you have informal (read: undocumented) policies and procedures that your staff follows. If so, now is the time to get those formalized.

In case you are like me and you don't find this subject completely riveting, I have provided helpful references to geeky movies by way of example.

1: Physical security policies

These policies should specify who is and isn't allowed physical access to your facilities and equipment. This could include a policy on guests entering your premises, what staff members have access to server rooms, and who is authorized to get into the executive wing. Once you have the policies, your procedures should describe how you enforce your policies. (This would include discussion of how you make use of security badges, key-codes, access logs and the like.)

In Star Wars, if the Death Star had paid more attention to its physical security policies, an unaccompanied Jedi without an "employee badge" would never have been able to gain access to the tractor beam which, when disabled, allowed the Millennium Falcon to escape.

2: Access control

There should be specific policies and procedures on how users are granted access to programs, sensitive data, or equipment. This includes how access is requested and authorized, how administrators are notified to disable accounts when appropriate, frequency of account audits, and how records of all this activity are maintained.

In Flash Gordon, Ming may be merciless, but he has issues with his access control policies. How else could the human Hans Zarkov be reprogrammed with "Level 6 Conditioning" when he was only authorized for level 3?

3: Workstation use policies

This is a fairly broad topic and includes some of the most basic system safeguards: limiting unsuccessful login attempts, monitoring login records, and requiring passwords to be of an appropriate strength and to be changed regularly. This should also include policies on how the equipment is used, such as mandating that users not write down their passwords or share them with other employees.

In Return of the Jedi, the Imperial base on the forest moon of Endor is well-known for its lax password policies. For example, Han Solo is able to land his strike team when a stolen code is accepted even though it is "old." If the Death Star had been a covered entity under HIPAA, they would have been required to change that code regularly -- which would have prevented Han Solo's well-known breach and ultimately, the demise of the Empire.

4: Security awareness

A security awareness and training program should be put in place that encompasses everyone in the organization. This should include programs for new hires, annual training, and periodic security reminders. I send security updates to all staff with information about some of the latest threats and concerns. I particularly like to send out screenshots of notable phishing attacks and compromised Web sites to raise awareness. It is crucial that you keep an audit trail of your reminders.

Here's a great security awareness reminder that could have been sent to the team building the intergalactic transport machine in Contact: "If you happen to see a guy with white hair who was previously seen preaching a prophecy of doom, have him removed from the premises." It would have saved a lot of trouble.

5: Malicious software

Of course you have antivirus software installed. But do you have documented policies and procedures for when and how often virus definitions are updated? Do you have a response procedure for a virus outbreak? How about staff policies on reporting detected viruses, not opening attachments from unknown senders, and not disabling the software?

You know who else didn't have any of these things? The aliens in Independence Day. It just took one overachieving cable guy uploading a virus into the mothership to wipe out their entire civilization.

6: Disaster recovery

Policies and procedures should be in place for responding to an emergency. This includes small emergencies, such as a server going down, as well as large emergencies, such as prolonged power outages or fires. Included in this are also data backup and recovery, policies for how often these procedures are tested, how they are tested, how emergency situations are identified, how operations are restored back to their primary mode when the emergency is over, and more. Don't forget to include a policy on where the DR plan is stored so you can get it in the event of an emergency.

Terminator 2 is really nothing more than a cautionary tale for good DR. If your company is basing all its amazing new products on some broken parts left behind by a time-traveling robot, make sure your data is stored offsite in case a different time-traveling robot steals your parts and blows up your building.

7: Business continuity

Business continuity and disaster recovery go hand-in-hand. Frequently, IT takes on the responsibility of DR but limits its scope to making sure the critical systems are operational. A "BC" plan documents procedures for ensuring that critical business processes continue to operate in the event of an emergency. This will go beyond just systems to include command structure, personnel procedures, customer communication, secondary work sites, and more. A true BC plan will go beyond IT to encompass all areas of the business in both its development and execution.

2012 provides a great example of BC plans in action. When warned of an impending geophysical apocalypse, world leaders needed only to take their handy Business Continuity binder off the shelf and flip to the section titled "Crust of Earth Becoming Unstable." Then, it was just a matter of following the step-by-step instructions for collecting funds from the world's rich and powerful, outsourcing the construction of gigantic floating metal pods to China, and setting sail in the nick of time.

8: Media disposal

Medial disposal is one of many additional areas that need to be addressed. I included it, though, because I am asked about it frequently. A common concern is data that lives on equipment other than computers: copiers, smartphones, and even fax-machines (in case you still have one somewhere). We have policies and procedures in place that mandate how we wipe the data off each kind of storage media and how these activities are logged.

At the end of Men in Black, Jay uses the "flashy thing" on Kay to erase his memory. However, he clearly didn't have it set to DOD published standards for secure deletion, since it was restored in the next movie with a highly improbable deneuralizer. With a better media disposal policy, we might have been spared Men in Black 2. (I hear 3 is better....)

9: Risk analysis

I found this to be the most interesting of the areas discussed here. At a very high level, a process is needed to identify risks and the controls that are in place to mitigate them. Under HIPAA, the primary concern is risk to systems and processes that deal with health information, although it can be extended to any part of the organization. Ultimately, every other item on this list is really a control to mitigate against risk.

There are plenty of good online resources to assist in developing a risk analysis and management strategy. I recommend the National Institute of Standards and Technology's publication on Risk Management for IT Systems. A well-documented risk analysis and management program will include the process by which risks are identified, as well as the process for establishing and executing action plans in response.

Really, most geeky movies are exercises in risk management or lack thereof. Besides the ones already mentioned, examples can be drawn from Armageddon (risk: giant meteor threatens Earth... control: Bruce Willis), Knowing (risk: killer solar flares...  control: bright-eyed aliens rescue kids and bunnies) among many others.

10: Review and audit procedure

Every item on this list has a couple of things in common: First, it must be auditable. You don't get credit unless there is a documented audit log that shows that these procedures are being executed. There also needs to be a process that ensures that the policies and procedures are reviewed regularly. And when you review a policy or procedure and find that it needs to be updated? Well, you need a policy and a procedure for that.

Got a good movie example for this one? Let me know in the comments!

Getting started

This is just a start. There is plenty I did not touch on. If you are a covered entity, I recommend enlisting the help of an attorney who specializes in HIPAA to help make sure you have your house in order. There are also lots of consulting companies that provide compliance services. If you are doing it yourself and starting from scratch, you can get a jump on it by purchasing a prewritten set of policies and procedures you can then customize.

Good luck and remember to compute safely.

About

Keith is the CIO of EHIM, a health services company in the Detroit area. His 20 years of professional experience have included positions as an executive, a consultant, and as the founder of a startup company. Keith recently published his first novel,...

16 comments
focusonz
focusonz

One overlooked policy is the daily cleaning of the workstation to include the hard deletion of saved passwords, temporary internet files, history, recent documents, windows temporary files, recycle bin, clipboard, CHKDSK file fragments, windows log files, and etc. The free space must be wiped to fully remove data.

Cleaning should also include the deletion of any backup files produced during the edit of any document containing protected health information. 

Don't you agree?

Daives
Daives

Yes obviously the points are boring as all the different types of compliance have these points. The only thing that needs to be taken care is that these controls are implemented around the IT systems that have the PHI data

rjkeener
rjkeener

If Sam Wheat's (Patrick Swayze) company had had better audit policies in place, Carl Bruner (Tony Goldwyn) would have been busted just as the movie started and we'd have spent the last hour of the show watching a too-happy young couple never meet Oda Mae Brown (Whoopi Goldberg).

joe_noor
joe_noor

I agree that the points mentioned are an excellent starting point for any organization [HIPAA or Non-HIPAA] as they facilitate the foundation of STRONG AND STABLE organization

BDuehn
BDuehn

I enjoyed your run-down of a not-so-sexy topic, but I have to wonder...why is it that all the good guys are busy subverting security while those involved in maintaining it are part of the dark side for all the movie analogies?

Professor8
Professor8

If you are a patient or tech involved in this, it is a nightmare. It's dishonest. It's fraudulent. The title and PR say one thing, but the text of the statute says something else... which is fairly common, actually. What is needed is push-back, complaints/law-suits not "compliance", until a measure which genuinely protects patients' privacy in a reasonable manner can be enacted.

borglah
borglah

How about the Andromeda Strain? If they hadn't audited the growth results of the test on the alien virus, they wouldn't have caught the cure. The woman who was initially reading the results had epliepsy and the flashing light signalling success put her into a minor seizure and she missed it! An audit of the processes may have changed that too!

mike
mike

OK, so everyone had their opportunity to poke some fun and use quirky analogies BUT....If you are a tech involved in this, it is a nightmare. I support a handfull of SMB physicians and dentists who are governed by HIPAA and must be compliant. It is near next to impossible. The lawyers who offer their services are an overpriced joke and do not come close to bringing a small office next to compliance. They just grab their 6-8,000.00 and provide a book or 2 and run for the hills. We, the IT people, are left to bathe in the aftermath. I would like to see WHERE I could buy a prewritten set of policies and procedures that I could customize. I could do it for a lot less than the sharks and be more compliant than they ever were (unless of course you are a hospital or large agency with megabucks).

Professor8
Professor8

I prefer Zelazny's story, My Name Is Legion, in which the hero snags a multitude of alternate identities so that he can live free and thereby anonymously combat the abuses created by the identification system.

Professor8
Professor8

Just coerce all the victims to sign waivers. That appears to be the intention behind the hypocritical HIPAA, as with the privacy violation policies of most discussion sites and "social media", Google, Yahoo!, etc. "Sure, sure, we'll respect your privacy... right up to the point we decide it would be more convenient to let every person who was ever a nurse, every federal bureaubum in or outside of HHS, every radiologis in Red China and India, every major bank chain, all of the former spies who run the 'credit rating agencies', every protection racket that calls itself an insurance company and all of their guest-workers, every current and former accountant in the facility to abuse your personal private information for private gain or amusement, but we might withhold it from your designated doctor and your spouse and certainly your lawyer who might spot our many other privacy violations and take legal action against us."

TNT
TNT

A great movie with many examples that could be used for HIPPA compliance. In regard to number 10 specifically, The Operative, an assassin, was sent to review the people and procedures that allowed River's escape and changed the "internal processes" to make sure such an intrusion wouldn't happen again (albeit in a very violent fashion).

kfaigin
kfaigin

I think one of them might qualify as the security policies helping the good guys (2012?), but, based on this limited sample-set, it seems that movie-going audiences prefer their protagonists be the ones thwarting the rules and not enforcing them. Thanks for the comment!

kfaigin
kfaigin

As I work on these initiatives, I try hard to stay focused on what needs to be done and not think too much about the quality of the policy. When all is said and done, as a 'patient', I don't feel more 'protected' with this legislation in place. And I hate knowing that this is just one more thing to drive up health care costs.

kfaigin
kfaigin

Hi Mike - I worked for a company that had purchased a set of policies that I thought were pretty decent starting points. I *think* that this was the source: http://www.hipaastore.com/hipaa-policies-for-covered-entities-p-10.html I can't find a preview link to be sure, unfortunately. I completely agree with your general frustration. Should a dentist's office and a multi-billion-dollar hospital chain be expected to meet the same level of compliance? I do know that most of the lawyers I speak to about this don't have any perspective on the cost (or feasibility) of what they are asking for. Thank you for the feedback!

Jody Gilbert
Jody Gilbert

Mike, The author originally included a link to TechRepublic's set of policies and procedures, but I took it out because I didn't want to be too self-promoting. But since you're looking for templates, here's the link: http://www.techrepublic.com/downloads/it-professionals-guide-to-policies-and-procedures-4th-edition/1004655. A lot of stuff in the package isn't HIPAA related, and I think you'll still want a lawyer to vet the policies after you've customized them, to be sure they're ironclad. I also turned up a bunch of possibilities doing a search on "hipaa policy templates." Maybe some other members will jump in here with specific suggestions. Hope this helps! --Jody