Jump to content
KAZOOcon: hackathon signup and details here! ×

Lucky24 - Nate Cartwright

Members
  • Posts

    1
  • Joined

  • Last visited

    Never

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Yes, HIPAA doesn't specify what encryption type you have to use. However a lot has changed since the original roll-out of HIPAA - there are stricter rules now since 2014.  § 164.312 Technical safeguards states: (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. When does it need to be encrypted? It's pretty clear that it says the policies and procedures detailed above are to ensure the data is only accessed by authorized personnel:  (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).   The fines are very, very, very steep. If a hard drive is stolen from a premises and the drive wasn't encrypted you are going to be looking at a $1,700,000 fine: http://www.apta.org/PTinMotion/NewsNow/?blogid=10737418615&id=10737433533 This isn't just for Covered Entities anymore - it applies to Business Associates as well since 2014, and BAs (you) can get audited and fined. And that's even if the machine is a desktop machine behind gated, passcarded, security-cameraed, security-guarded premises and the machine is passworded: https://www.paubox.com/blog/hipaa-privacy-violations-include-stolen-office-computers In practice, when dealing with a HIPAA-regulated client, you need to encrypt any patient data at rest and in transit, you need to have policies in place for data security practices that every employee signs off that they read and understood, and you need to have an audit trail and regular security audits to track who has accessed what data. Basically, you need to have a paper trail that shows you're committed to security, and that you've tracked and documented the movement of all unsecured patient data. Finally, if you are a technology provider to a HIPAA-regulated client, *you* are responsible and liable for any data breaches of your systems if the associate agreement states that and both parties have signed it. The Business Associate Agreement should specify all of the things you have to do to stay compliant for the Covered Entity. And all outside vendors of any HIPAA-regulated organization must have a BAA on file - though this onus is on the HIPAA-regulated organization to make sure they do this. Finally, the "Breach notification rule" requires organizations to notify HHS when a breach of unsecured patient data occurs, and to cease usage of the breached business associate's services. See http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ What this means in practice is that HIPAA clients need to be paying you a lot more :) If you're providing services to HIPAA clients, you really should at least skim the 114 page summary document: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
×
×
  • Create New...