Home Care Law Blog Gilliland & Markette LLP

3905 Vincennes Road
Suite 204
Indianapolis, IN 46268
Phone: (317) 704-2400
Fax: (317) 704-2410

More Guidance from CMS

Posted by: Robert Markette
January 23, 2007

Over the holidays, HHS issued a new guidance document relating to HIPAA security.  This document entitled, “HIPAA Security Guidance for Remote Use”, was issued on December 28, 2006.  According to the introduction, this Guidance was published, because of the number of recent security incidents involving laptops and other portable devices.

The document specifically mentions home health agencies using laptops and other portable devices as an acceptable practice. The guidance covers a number of topics, including list of possible risk management strategies.  Some of the risk management strategies listed I would imagine have already been implemented by most providers, for example, password protecting laptops.  Every laptop operating system I have seen, allows you to require a username and password to log into the computer.  If you are not doing this already, I have to wonder why.

The documents also mentions prohibiting downloading EPHI onto remote systems or devices, prohibiting transmission of EPHI over open networks, using more secure connections and even using encryption.  The mention of secure connections and encryption may lead some readers to become concerned that HHS is indicating Encryption is now required for transmission of EPHI.  That is not the case.  The regulation still lists encryption as an addressable standard.  However, in the conclusion to the document, HHS states that this document provides a review of some strategies “that may be reasonable and appropriate” for certain covered entities to follow.

This means that reasonable and appropriate is still the standard.  You should review this document and see if there are any strategies in it you did not consider.   You should not review this as HHS telling you “how to do things.”  HHS is offering some strategies to consider, but ultimately it is up to you to determine what is appropriate for your entity.  If you probably considered, but rejected some of these strategies, such as encryption, if there has not been any changes in your operating budget, number of employees, etc, your decisions are probably still reasonable.

In my opinion, the best advice in the handout is the advice regarding training.  If you recall, the majority of the security incidents that have been reported in the last year (and that have been mention on this blog) were the result of employees failing to follow policies.

Making sure your employees are trained on your policies and understand the penalties for violating the policies is one of the keys to ensuring compliance.  As I have said time and time again, if your employees don’t follow your policies, then you don’t have policies.  As you review this document, remember that and remember that your employees are the weak link in your security.  Whether through intentional misconduct or inadvertence, your employees are far more likely to be the reason for a security incident than it is likely that your policies were unreasonable in the first place.

         

News

Health Care

[08/15] Catalyst Pharmaceutical Partners Reports Second Quarter 2008 Financial Results
[08/15] Salmonella outbreak winds down; questions remain
[08/15] 6 get Legionnaires' disease in upstate NY; 1 dies
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] Former half-ton man endures hard times in Nebraska
[08/15] AP Interview: Doctor behind executions speaks out
[08/14] University Hospitals Receives $22.6 Million Donation from Harrington and McLaughlin Families
[08/14] The National Kidney Foundation's 7th Annual Ronald D. Paul Companies Kidney Walk to be Held on Saturday, September 20
[08/14] Best Practice Database adds Research on New Product Launch
Read More

Web Resources

FindLaw
Thomson West
U.S. Courts
Westlaw
United States Chamber of Commerce
FirstGov
Legislative Branch
Library of Congress
White House
Internal Revenue Service
National Weather Service
Yahoo!Maps
YellowPages.com
New York Times
Newspapers Online
USA Today
Wall Street Journal
AOL
Google
Yahoo!Legal Blog Directory  

The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation.

Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.