HIPAA isn't just about protecting data from unauthorized access. As more information needed for patient treatment and billing becomes electronic, it's crucial to ensure that systems are available and the data is trustworthy. Your contingency plan must cover backup and recovery of personal health information, along with preparations for recovering from disasters. Your plan also needs to include preparations for operating under emergency conditions--how business can continue without access to the electronic personal health information, and how you will continue to protect data on your systems during disasters.
7. Control Your Media
The management of devices and media used to store patient information is another top source of HIPAA violations, according to CMS. The Security Rule includes four provisions covering devices and media. HIPAA also includes provisions for tracking storage media and devices as they're moved around the facility and disposed of, as well as data backup.
8. Train Users, Then Remind Them
Users are crucial to security, but it's very easy for information security pros to assume they already understand the issues. All members of your workforce need ongoing security training. HIPAA leaves it up to you to decide what's appropriate and how training should be conducted, although the provision describes the training as "periodic security updates."
HIPAA requires that covered entities record and examine activity in systems that store or use personal health information. The type of high-risk threats you identified in your risk assessment will help you decide what needs to be logged in order to meet this requirement, but it's important to understand the context. The Security Rule goes to great pains to ensure that users are uniquely identified and authenticated. Oftentimes, in a medical setting, it's hard to predict who will need to access which patient's data, and strong limits on this access could cause dangerous delays in treatment.
Instead, reasonable access restrictions should be implemented and followed up with audits of access trails to ensure that employees aren't looking at or modifying records they shouldn't.
10. Clean Up Old Data
This step will simplify your HIPAA compliance efforts by reducing the amount of data you need to protect. Hopefully, when you did your inventory for your risk assessment, you didn't just focus on the systems in day-to-day use but scoured the data closets for older gear and unused databases.
Once you've used your inventory to identify outdated data and systems, you need to make the classic closet-cleaner's decision: toss or keep? If there's reason to keep the data, does it need to be accessible? If not, archive it to durable media and store it in a vault or with an off-site data storage company. Data on a tape in a vault isn't susceptible to hackers or curious employees.
Avi Baumstein is an information security analyst at the University of Florida's Health Science Center.