HIPAA Guard Herald - Your Monthly Newsletter on Surviving HIPAA

<strong>HIPAA</strong> <strong>Guard</strong> HERALD
YOUR MONTHLY NEWSLETTER ON SURVIVING <strong>HIPAA</strong>
ISSUE 07 June 2018
LATEST ON <strong>HIPAA</strong>
Interview with Regional General Hospital's
Chief Privacy Officer Heather Thompson
Privacy Officer, one of the most
challenging and critical but important
role in the healthcare industry. It is a
role that warrants someone to have
great multi-tasking skills as he or she
would wear several hats.
As a Privacy Officer, you would
probably be reporting to the CEO or
Head of the hospital or facility.
So what makes you qualified to
become a Privacy Officer?
1. Knowledge of the <strong>HIPAA</strong>, privacy
laws, release of information ,
and flow of the protected health
information (PHI) within the
facility.
2. Ability to demonstrate
organizational, facilitation,
communication , and
presentation skills
3. Ability to read , comprehend, and
apply guidelines and laws to
current entity and to day to day
situations
We had the privilege to come close
and personal to Regional General
Hospital’s Chief Privacy Officer,
Heather Thompson. Below is the
Question and Answer script from
that Interview.
Question: What drove you to this
career? And what was your
previous role prior to taking the
CPO role?
Heather: I have been in the health
care profession most of my working
career. I have worked in a variety of
health care settings such as
hospitals, retirement homes, and
home health facilities. So, taking
on the Privacy Officer role was a
challenging opportunity in my
professional development.
Question: What do you think would
be the most suitable qualifications
to become a privacy officer?
Heather: As a Privacy Officer, I think you
should have strong communication and
listening skills. You must have a strong
understanding of the health care
industry and working with patient
information. You must have a strong
understanding of <strong>HIPAA</strong> and finally have
an analytical approach.
Question: What do you think should be
the educational requirements to become
a privacy officer?
Heather: Experience in the Health Care
Industry / Knowledge of Risk
Management / Knowledge of Health
Information/ Professional <strong>HIPAA</strong> Privacy
Training and Certification
Question: Who are the main or key
persons you work with within your
organization who help you the most in
your role as a privacy officer?
Heather: That would be the Chief
Executive Officer (CEO), I.T., Risk
Management, and Human Resources
Question: From the time you have
assumed this responsibility till this day,
what do you think are the major aspects
of your role that has evolved a lot through
time?
Heather: There is an expanding variety of
knowledge and skills, and as regulatory
guidelines and technological safeguards
have advanced, our roles as Privacy
Officers have grown in importance within
our organizations.

MORE ON <strong>HIPAA</strong> <strong>Guard</strong> H E R A L D
Interview with
Regional General Hospital's
Chief Privacy Officer
Heather Thompson
Question: What do you think is
the most difficult part of your
role? How are you able to
overcome this difficulty and be
successful in performing it?
Heather: Adapting to the
changing of laws and of course
the ever-changing advance in
technology. I adapt by continuing
to educate myself and having the
willingness to adapt to all the
changes that may come. Also, by
accepting and learning from all
the challenges that come my
way.
Question: For the future Privacy
officers out there or those who
wish to traverse this career path,
what is your advice for them to
succeed in this role?
Heather: To have good
organization skills, judgement,
problem-solving
skills,
communication skills, listening
skills, and compassion for
others. Also, to have a desire to
continue to educate yourself and
have the willingness to learn.
Question: What do you think are
some of the compliance issues
facing your company?
Heather: The technology in health
care and our organization is
continually changing and advancing.
I believe that a lot of employees are
used to the way things were, and
have a hard time adapting to
change. Technology can be very
intimidating to those especially who
have been working in their careers
along time.
Question: What are some of the
weaknesses in your company’s
compliance program?
Heather: We have a new EMR
System that our employees are still
adapting to
Question: And how are you now
addressing these weaknesses?
Heather: By continuing to educate
the staff and by conducting
surveillance and auditing of user
access. Then, reporting these issues
in our hospital monthly QA meetings
so that all Department Managers
are aware of our progress.
ISSUE 07
June 2018
Question: Describe a project you
had to finish with limited resources.
How were you able to accomplish it?
Heather: I have only been in The
Privacy Officer role for a few months
and although I have gone through
some challenges with some <strong>HIPAA</strong>
Breach investigations, I have not
really had the opportunity to start a
new project. If I had to start a
project with limited resources, I
would maintain a positive outlook
and utilize my organizational skills
to develop a plan. I would start by
organizing my tasks from most
important to least. If I saw that I
could not complete a certain task on
my own, I would ask for assistance
from my peers at work and at <strong>HIPAA</strong>
<strong>Guard</strong>.
Question: Can you give us your top 3
reasons if you were asked why
should a company or organization
particularly in the Healthcare
industry, have a privacy officer?
Heather: First and most importantly,
to protect and ensure patients’
rights and information. Second, to
help maintain administrative and
compliance requirements. Third, to
keep your organizations employees
educated on patient privacy and
education of the advancement of
security and other safeguards.
Question: Can a healthcare
organization afford not to have a
privacy officer like in the case of
rural hospitals? Can they opt not to
have one for their organization? If
yes, why and if no, why not?
Heather: I believe an organization
can’t afford to not have a Privacy
Officer. Privacy is about respecting
people, and people having trust. If a
person does not trust someone, you
may lose their relationship. In turn,
a business such a small Rural
Hospital, will loose patients due to
lack of trust and respect. It can then
lead to a bad reputation and moral
of the organization.
Question: How do you help create a
culture of compliance for privacy
and security of PHI and ePHI within
your organization?
Heather: I think a good way to create
a good culture, is to give employees
all the tools and resources of
keeping up with knowledge and
education. If we continue create a
positive and creative way to educate
employees… they will have a good
understanding and feel comfortable
with compliance. It becomes a
natural habit of their work day, and
not something they feel is a
stressful challenge.

Interview with Regional General
Hospital's Chief Privacy Officer
Heather Thompson
Question: We have been hearing about GDPR and how it will soon
become a big player in the overall privacy and security of an individual’s
personal data, how are you preparing for this upcoming change? How are
you preparing your organization for this upcoming change?
Heather: I have just recently been introduced to GDPR. I know it is the
most recent change to data protection and its going to be a dramatic
change in the way privacy is regulated. As for now, I am going to
strengthen my knowledge with the resources I have…. which primarily
consists of my association with <strong>HIPAA</strong> guard for my educational
resources and support.
We would like to thank Heather for giving us these informative insights
about her role as Chief Privacy Officer. <strong>HIPAA</strong> <strong>Guard</strong> initiatives are and
will always be focused on supporting the core team like Heather’s team
in attaining full <strong>HIPAA</strong> and HITECH compliance. We will continuously
strive to ensure everyone involved in operating your hospital and health
system be fully committed to compliance. Our job becomes much easier
if we have people like Heather who are dedicated to work with us as we
work towards the same goals.
Our Top 4 <strong>HIPAA</strong> Initiatives for this month of June all relates to the FIRST
Technical Safeguard Standard of the <strong>HIPAA</strong> Administrative Simplification
Security Rule i.e. ACCESS CONTROL. It has four implementation
specifications:
Encryption/Decryption
Unique User Identification
Emergency Access
Automatic Log-Off
ISSUE 07
June 2018

Access Control: What This <strong>HIPAA</strong> Security
Rule Technical Safeguard Standard Is All
About
In your facility, does every member of the workforce have the same
access rights or access levels to those electronic protected health
information or ePHI? The access level of say a Front Desk staff is similar
to the access of a Laboratory technician? The rightful answer is NO.
<strong>HIPAA</strong> law has mandated that policies and procedures be placed to
provide appropriate access to the ePHI to every workforce of the facility
and this is covered by the “Information Access Management Standard”.
But not all access will be the same. As mentioned earlier, there must be
some form of control on who accesses what ePHI, when and how. This is
covered by the ACCESS CONTROL STANDARD.
There are four commonly used approaches to controlling who will have
access to information and when access to this information is available. It
depends on the outcome of the facility’s risk assessments as to which
approach is most suitable to use. More information about these
approaches provided in NIST 7316 Assessment of Access Control
Systems.
Access Control List (ACL)
User Based Access Control (UBAC)
Role Based Access Control (RBAC)
Context Based Access Control (CBAC)
Source: <strong>HIPAA</strong>.com, NIST & hhs.gov
Access Control:
UNIQUE USER IDENTIFICATION
Technical Standard § 164.312(a)(2)(i)
Covered entity must
“Assign a unique name and/or number
for identifying and tracking user
identity.”
Unique User Identification is a required implementation specification
and it is a way a covered entity could track :
1. Who accessed the information system
2. When and How often was the ePHI accessed
3. What ePHI or data in the information system was accessed
4. Where was the ePHI or data specifically accessed
How this is done? It depends on the structure of the workforce and their
operations how the format of the unique user identification will be
designed. It could be one of the following:
1. Employee name or a variation of the name e.g. ebgesmundo
2. Random combinations of numbers and letters e.g. EB6200014
3. Combination of the above two e.g. EGesmundo3780
Security Officer must manage and monitor this. IT Manager or Office
Manager must coordinate with the Security Officer the implementation
& documentation of this policy and procedure especially when:
1. New employees are hired
2. Existing employees changed job or roles
3. Existing employees change names
4. Employees gets terminated or resigned

Access Control:
EMERGENCY ACCESS PROCEDURE
Technical Standard § 164.312(a)(2)(ii)
Covered entity must
“Establish (and implement as needed)
procedures for obtaining necessary
electronic protected health information
during an emergency.”
This is the second implementation specification that is considered required.
Emergency situations like fire, natural disaster, total system shutdown or
failure, and terrorism attacks could result to delay in the access of crucial
information or data in the information system of a healthcare provider which
consequently lead to delay in the provision of health and medical treatment
of patients and could cause danger in someone’s health. Covered entities
are mandated to prepare for such emergency as such emergency access
procedures and policies be created.
The Security Officer in coordination with IT Manager, Office Managers and
Information System as well as software suppliers in coming up with such
Emergency Access Procedures and that these are to be part of the Risk
Analysis that the organization will conduct.
The following must be considered:
1. Determine the type of emergency situations that would warrant the use
of the Emergency Access Procedures in the information system or
applications that contain ePHI
2. Coordinate such policies and procedures with the policies and
procedures created for Administrative Safeguards: Contingency Plan
(Standard § 164.308(a)(7))
3. Document these policies and procedures that will be created to address
this implementation specification
Access Control:
AUTOMATIC LOGOFF
Technical Standard § 164.312(a)(2)(iii)
Covered entity must
“Implement electronic procedures
that terminate an electronic session
after a predetermined time of inactivity.”
This is the third implementation specification that is considered as
addressable i.e. optional. The covered entity must reasonable and
appropriate measures to meet this standard. The main purpose of this
standard is to prevent unauthorized viewing and accessed to electronic
protected health information (ePHI) from unattended electronic
information system devices such as computers or laptops in
workstations. After a pre-determined period of inactivity the device
containing ePHI will automatically log-off. This automatic log-off system
would require the user to enter a unique password to regain access to
the ePHI. All workstations must be installed with such configurations
and the time out or log off period depends areas where the device is
placed and the size of the facility. Example, highly populated areas such
as that of the Front Desk must have a automatic log off period of 2 to 3
minutes. But areas that has limited access and controlled like the
Laboratory or Radiology Offices might have 5 to 10 minutes of time out
period configurations.
It is the responsibility of the Security Officer to document this procedure
and policies as well as manage this implementation. He must also
coordinate with software or application vendors on how and what
configurations are appropriate for each device or workstation. The
Security Officer must also take into account how these devices or
workstations moved from one place to another.
Source: <strong>HIPAA</strong>.com, NIST & HHS.gov

Access Control:
ENCRYTION AND DECRYPTION
Technical Standard § 164.312(a)(2)(iv)
Covered entity must
“Implement a mechanism to
encrypt and decrypt
electronic protected
health information.”
This is the fourth implementation specification that is considered as
addressable. Similarly, the main goal for this implementation is to ensure
unauthorized viewing and accessing of ePHI is prevented.
As described by Microsoft, “Encryption is the process of translating plain text
data (plaintext) into something that appears to be random and meaningless
(ciphertext). Decryption is the process of converting ciphertext back to
plaintext.”
Needless to say, even if this implementation is an ‘optional’ one, this is one
strong and relevant key and piece of a security system puzzle. This can help
prevent data breaches and ePHI theft. Also, since HITECH Act required all to
have Electronic Health Record by 2014, the more reason Encryption has
become one strong solution to protect ePHI.
The National Institute of Standards and Technology (NIST) has provided
some guidelines on encrypting data at various stages i.e. data at rest, data
in motion, data in use and data disposed.
Want to get a copy of our
previous <strong>Newsletter</strong> issues?
Get updates on what is
happening in the
healthcare industry
Connect with other
people working
towards <strong>HIPAA</strong>
compliance
Connect, follow,
and have a
conversation with us
ISSUE 07
June 2018