Palisade Systems’ sole focus is on small to medium enterprises (SME). In that capacity, we have kept our finger on the pulse of what is happening with HIPAA related to SME’s. I wanted to provide educational/awareness information as it relates to SME’s that are “covered entities,” as well as some fuel for thought behind the “Transmission Security” standard area within HIPPA.
Three challenges that I see for SME’s with regards to HIPAA:
-
Determine if you have to comply with HIPAA
-
What is required or is to be addressable?
-
If you don’t have policies and procedures in place, how can you work within the Transmission Security standard?
This link provides an excellent document with flowcharts to see if you would be a covered entity or not:
Ok, now we got that out of the way and if you are a covered entity read on!
So what is the buzz related to the “Transmission Security” standard for SMEs?
HIPAA Security Rules state that the law allows covered entities (including small providers) to implement “reasonable and appropriate measures that enable them to comply with the Rule.” As a covered-entity SME, you need to comply, but how do you do this in a way that is in alignment with your particular circumstances or specific operations?
If money were no object this would be a easily-solvable problem, however companies are always looking at the bottom line. There is always this delicate balance between ensuring you will fall into compliancy and doing so in a way that allow the business to run as efficiently/effectively as possible. Tough gig!
Check out this item related to the Transmission Security Standard (section in the HIPAA guidelines is (164.312(e)(1) in case you desire to do some heavy reading):
“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
Further down, Health and Human Services has the encryption specification not as required but “addressable” (164.312(e)(2)(ii). So encryption is not required but you need to do something to address this Transmission Security standard.
From what I see, encryption is not exactly shareware/freeware and can cost a good amount of coin. Now if it was “required” well you would get the checkbook out right? But if too expensive and/or having your IT staff’s bandwidth supporting it is not in the cards (hmmm…how many IT groups have a lot of bandwidth of time laying around!)it still needs to be addressed. So what measures are in place then in lieu of doing this?
In the guide it states you could tell everyone to password protect documents/files or just prohibit the transmission of electronic PHI via email. Wow! No sending something email related to your job? That is like saying don’t use a cell phone (or sending a text message) to call your significant other but you can call others!
So tell your employees that docs and files are to be password protected all the time and they can’t transmit electronic PHI via email. Please put on YouTube and let me know so I can see the response of the employees when you tell them! Does this really allow your business to run efficiently and effectively? You already know that answer.
So how would a SME keep their costs down and reduce administrative time on this particular issue?
I’d suggest doing some risk analysis (required standard 164.308(A)(1)(ii)(A)). This standard states to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities … of electronic protected health information held by a covered entity”.
As the prior blog posting by Tim pointed out: Since the first of this year, 77% of the 850,000 pieces of data we discovered leaving the network were Personal Health Information (utilizing our pre-built HIPAA compliance template).
That is something to think about as an SME. Next time, I will get more into the “required” standard of doing risk analysis and interesting tidbits related to what really constitutes a breach of PHI.
Steve