HIPAA Guard e-Newsletter Issue 08 July 2018

HIPAA Guard H E R A L D
Y O U R M O N T H L Y N E W S L E T T E R O N S U R V I V I N G H I P A A
ISSUE 08 July 2018
LATEST ON HIPAA
I n t e r v i e w w i t h R e g i o n a l G e n e r a l H o s p i t a l ' s
C h i e f P r i v a c y O f f i c e r H e a t h e r T h o m p s o n
In continuation of our amazing interview , up close and personal with
Regional General Hospital’s Chief Privacy Officer, .
Question: Can you give us your top 3 reasons if you were asked
why should a company or organization particularly in the
Healthcare industry, have a privacy officer?
Heather: First and most importantly, to protect and ensure
patients’ rights and information. Second, to help maintain
administrative and compliance requirements. Third, to keep your
organizations employees educated on patient privacy and
education of the advancement of security and other safeguards.
Question: Can a healthcare organization afford not to have a
privacy officer like in the case of rural hospitals? Can they opt not
to have one for their organization? If yes, why and if no, why not?
Heather: I believe an organization can’t afford to not have a
Privacy Officer. Privacy is about respecting people, and people
having trust. If a person does not trust someone, you may lose
their relationship. In turn, a business such a small Rural Hospital,
will loose patients due to lack of trust and respect. It can then lead
to a bad reputation and moral of the organization.
Question: How do you help create a culture of compliance for
privacy and security of PHI and ePHI within your organization?
Heather: I think a good way to create a good culture, is to give
employees all the tools and resources of keeping up with
knowledge and education. If we continue create a positive and
creative way to educate employees… they will have a good
understanding and feel comfortable with compliance. It becomes
a natural habit of their work day, and not something they feel is a
stressful challenge.
# 1 No F l a s h D r i v e s
One of those kinds of portable devices which has a growing concern as
to its vulnerability is USB Flash Drives. Your practice or your facility, in
general, should be very cautious in allowing use and access of ePHI
offsite. To get you on track of HIPAA compliance measures, your practice
or facility must conduct a risk analysis to determine potential risks and
vulnerabilities linked with the use of such devices for remote access of
ePHI. Then you must develop risk management measures to reduce the
probability of such danger from happening to at a least reasonable and
appropriate level. In your Risk Management phase, consider these three
areas in forming your practice or facility's policies & procedures to
protect the ePHI.

HIPAA Guard H E R A L D
Y O U R M O N T H L Y N E W S L E T T E R O N S U R V I V I N G H I P A A
1. Data Access
- Your policies and procedures that cover Data Access must concentrate
on ensuring your workforce or staff only access information for which
they are appropriately authorized.
2. Data Storage
- Your should ensure policies and procedures that will address the
security needs for such devices are in place especially if they contain
sensitive patient information. Note that these devices may be removed
physically from your facility thus all possible security measures must be
put in place.
3. Data Transmission
- Focus on ensuring the integrity and safety of ePHI sent over networks,
and those data that are directly exchanged
and those applications remotely accessed that might contain ePHI.
Though HIPAA does not explicitly prohibit the use these portable storage
devices, once ePHI is known to have been stored on these devices, your
facility must :
track the in and out of the data and the device in your system or
facility to prevent unauthorized access to the EPHI;
include the ways to detect, mitigate and report a breach should it
happen in your risk assessment;
destroy the data/USB device (when you no longer need the ePHI) in
a such a way that any unauthorized third party won't be able to
access it; and
document, document and document every steps and guidelines of
the above
# 2 No T h i r d P a r t y A p p s f o r
C o m m u n i c a t i o n or S t o r a g e of D a t a
Third-party file sharing and storage provider i.e. Google Drive, Dropbox,
etc. shall be considered Business Associates if they store ePHI on
behalf of your practice or facility, consequently warranting that they too
be HIPAA compliant. Remember that HIPAA Law protects not only the
data but also its accessibility and integrity. As mandated, these cloud
storage service provider must enter into a Business Associate
Agreement with the Covered Entity, as the BAA shall establish the
allowed and required uses as well as disclosures of ePHI by the cloud
storage service provider performing activities and services for the
covered entity or another business associate.
ISSUE 08
July 2018

HIPAA Guard H E R A L D
Y O U R M O N T H L Y N E W S L E T T E R O N S U R V I V I N G H I P A A
# 3 If y o u u s e y o u r o w n p h o n e f o r
c o m m u n i c a t i o n , s e c u r e it e l s e u s e at
y o u r o w n r i s k !
In most cases, technology is usually ahead of the federal laws especially
with mobile devices or bring-your-own-device (BYOD). The hardware and
the software inside those devices may or may not be supported by your
facility’s central IT department. Regardless, whether these are
supported or not, they do pose security risks to your organization
especially if these devices contain ePHI or access (intentionally or
unintentionally ) sensitive patient data when these get connected to
your facility’s network. Remember that these devices are just like your
mini handheld computers where one can easily access, receive,
transmit and store PHI. So here are some of those potential risks we are
guarding our PHI for:
1. Use of mobile devices to transmit and receive PHI over public WIFI
or email applications which might use unsecured networks putting
PHI at risk of discovery by cyber criminals.
2. Mobile devices have the capacity to store images which can pose a
compliance issue if the photos violate their privacy.
3. As most of these gadgets gets smaller and smaller, the risk of them
getting stolen or misplaced is so high thereby resulting to
unintentional loss of protected health information.
4. Mobile devices ability to store data in the cloud is another risk that
your facility might not be able to monitor and control. BAA might be
neglected.
5. Mobile apps too are not risk free and not all are HIPAA compliant.
Ask the app developer’s credentials or certifications.
ISSUE 08
July 2018
So how are we to address these risks and concerns on mobile device
security?
1. As always, run your Risk Analysis and Risk Management even on
these BYODs.
2. Come up with BYOD policies and procedures that will outline the
appropriate, safe and HIPAA compliant usage of these devices.
Make it clear in your policies and procedures if such devices are
allowed or will be prohibited. Should they be allowed, the
standards on its usage must be clearly listed. Also, members of
your organization must be aware of who will be responsible for
securing them.
3. Conduct the regular periodic audits to ensure that your workforce
is strictly adhering to the rules and standards set.
4. Password protect and encrypt these devices in accordance to
HIPAA technical standards. This is critical because if your encryption
passes the HIPAA standards and should the device gets lost,
then there is no breach and patient/s do not have to be notified.
5. Ensure that you can remotely wipe the data in those BYODs so
should they got lost or stolen as this can help prevent or minimize
the gravity of the impact of a breach.
6. Have in your policies & procedures the steps on how to
investigate, document and report breach. Ensure that your
policies and procedures also lay down the corrective actions when
such an incident occurs.

HIPAA Guard H E R A L D
Y O U R M O N T H L Y N E W S L E T T E R O N S U R V I V I N G H I P A A
# 4 “ B e C a u t i o u s ” w i t h p a p e r f i l e s y o u
are g i v e n as to s e c u r e or s h r e d t h e m
a f t e r v i e w i n g
Your paper or digital trash may be violating HIPAA!!!
Though there is no explicit recommendations on how you will dispose
your facility or practice’s printed and digitized PHI, you are required to
create reasonable steps to protect PHI and ePHI during disposal. Do risk
assessment and create appropriate and adequate policies and
procedures about the HIPAA compliant ways in disposing these sensitive
documents or data. Train your employees to strictly adhere to the
policies and procedures relating to ePHI and PHI disposal.
HIPAA Standard § 164.310(d)(1) Device & Media Controls addresses
the guidelines that covered entities must follow in protecting ePHI found
in hardware and electronic media.
Degaussing is one method given under HHS.gov’s Security Standards:
Physical Safeguards document used in disposing ePHI on electronic
media. We also know this as ‘PURGING”
Degausser is a machine used to
completely erase all data (audio,
video, data) from magnetic storage
media.
Other means are:
• clearing (using software or
hardware products to overwrite
media with non-sensitive data),
• destroying the media (physically damaging the electronic media
beyond repair via disintegration, pulverization, melting, incinerating,
or shredding)
Electronic Media means “electronic storage media
including memory devices in computers (hard drives) and
any removable/transportable digital memory medium, such
as magnetic tape or disk, optical disk, or digital memory
card…”
One of the implementation specification of this particular standard
pertains to the required proper disposal of ePHI § 164.310(d)(2)(i). Your
practice or facility must ensure that the electronic media which contains
ePHI must be unusable and/or inaccessible.
ISSUE 08
July 2018

HIPAA Guard H E R A L D
Y O U R M O N T H L Y N E W S L E T T E R O N S U R V I V I N G H I P A A
For printed protected health
information, make use of a
shredder. NEVER dispose your
printed documents containing
sensitive patient data in a
dumpster that is publicly
accessible unless your facility or
practice has “rendered the
documents essentially
unreadable, indecipherable, and
otherwise cannot be
reconstructed.”
Ask these questions if you can
confidently answer YES to all of
them then you are considering
important points to be HIPAA
compliant in regards to PHI and
ePHI disposal:
Other ways that your PHI or ePHI
can be properly disposed of
according to OCR are burning,
pulping, or pulverizing the
records
For those labeled prescription
bottles and other PHI, maintain
them in opaque bags in a secure
area and make use of a disposal
vendor as a business associate
to pick up and shred or
otherwise destroy the PHI. Do
not forget your Business
Associate Agreement with this
third party disposal services.
ISSUE 08
July 2018