This is the third blog post in a series dealing with HIPAA compliance and covers physical security. The computer, the workstations, and the network will be covered in subsequent blogs.
The format is a series of appropriate questions to you on areas of concern in your and your supplier's domains with respect to the HIPAA required, documented Security Risk Assessment, and Business continuity plan.
As a reminder, some of these questions are economic decision points that your business can make.
Do you have a corporate and or Facility Security Officer?
Do you have industrial grade locks on all the doors to your covered facility?
Do you have industrial grade locks on doors into your computer room, network appliance room, and patient file room?
Do you have substantial doors into your computer, network appliance room, patient file rooms?
Do you inventory tightly control facility keys?
Do you have a living documented list of who has keys and access codes to what?
Do you regularly change the access codes?
Do you have a monitored after hours alarm system?
Do you have electronically monitored windows, if any, into your computer room, network appliance room, patient file room, or any other area that might contain patient data?
Do you have electronic access to your facility?
Do you tightly manage in a controlled and documented manner facility and alarm access codes?
Do you electronically log of access to your facility?
Do you have a battery or other power to your desktop and network appliances that would last long enough for an orderly shutdown of the devices in case of a power failure?
Do you have a battery or other power to your desktop, network, or computer appliances that would last long enough to sustain operations for a defined period of time for the devices in case of a power failure?
Do you have an inventory of desktops, network appliances, and power supplies?
Do you at some frequency check that inventory?
Do your telephones go down in case of a power failure?
Do you have or need a few phones in your facility that operate online power?
Do you have phone and data services comingled?
Do you have a plan for rerouting inbound calls from patients, doctors, or suppliers to another facility in case of an extended facility outage?
Do you have a defined perimeter behind which the only HIPAA trained personnel or escorted people have access?
Do you routinely document and log guests into and out of your facility?
Do you have management controlled photo security badges for office and corporate personnel?
Do you have a recording camera system covering critical areas of your facility?
Do you have a documented policy for reporting physical security breaches?
Do you have documented policies for granting and revoking privileges for new hires and terminated employee that keep the facility secure at all times?
The list goes on but the above questions typify the questions MediFacts has asked itself and addressed for our own facilities. Medifacts can help you through the HIPAA compliance issues surrounding physical security.
Business Continuity Planning
This is the second in a series of Blogs concerning your business including some of the requirements for HIPAA and HITEC compliance and in particular addresses concerns around Business Continuity Planning.
This blogs will cover these five areas dealing with Business Continuity Planning: Definitions, The Computer, The Network, The people, and monetary decision points.
Definitions and Beliefs
First two academic definitions:
Business continuity planning is the activity performed by an organization to ensure critical business functions will be available to customers, suppliers, regulators, other entities, and themselves in order to keep functioning in the case of adversity.
And, from the Gartner Group in their comprehensive study of Medical Systems.
“A business continuity plan should include: a disaster recovery plan, which specifies an organization's planned strategies for post-failure procedures; a business resumption plan, which specifies a means of maintaining essential services at the crisis location; a business recovery plan, which specifies a means of recovering business functions at an alternate location; and a contingency plan, which specifies a means of dealing with external events that can seriously impact the organization. “
HIPAA and HITEC focus on security and the protection of patient data during any of the above scenarios. Medifacts cares about your whole Business too.
There are three homilies around Business Continuity Planning learned the hard way to keep in mind:
“There are only two kinds of computer systems in the world; those that have gone down and those that will”
And, inexplicably, “Systems with well thought out plans will be less likely to have a need to use them”
“An ounce of prevention is worth at least a pound of cure”
Can’t prove these beliefs but they can be considered facts earned in battle.
Medifacts used all these definitions and beliefs in developing our Business Continuity Plan since we are concerned about our whole business and our customer’s whole business. We widened the scope to include steps taken so problems up to force majeure never happen or can be mitigated in a manageable manner. Indeed, the worst case scenario, force majeure, is the clearest cut problem to solve.
Here are four categories containing tip of the iceberg questions to think about and address when creating a living Business Continuity Plan.
The Computer system
The Wide Area Network (internet connection) and Local Area Network (LAN)
Monetary decision points
The monetary reality answers to many of the above questions with the exception of having a secure backup of the patient data could legitimately be no; instead of the implied correct answer yes. The company owner, Practice owner, or supplier could just say no as a business decision. The positive answers to some of the questions are only applicable if you have the scale to support the expenditure. Each step along the trail has an attendant risk that you as a business owner may decide to take. Hard today currency vs. maybe future money is a subjective equation.
Medifacts has internally asked and answered all the above questions and a legion of others about Business continuity. Medifacts takes recovery and our customers seriously.
For current or prospective Medifacts customers we would look forward to reviewing our BCP with you in enough detail as you might need or could stand.
In addition, we can work with you on your specific HIPAA compliance steps.
HIPAA and HITEC Compliance Attestations
People in the medical field and their attendant suppliers regularly attest the practice or company they own or work for is HIPAA and HITEC Compliant. These attestations are legal documents.
Unfortunately, if recent CMS inspections for HIPAA compliance are indicators, many are not compliant. The resultant penalties for some of the inspected facilities have been in the millions of dollars not to mention the PR embarrassment of being formally judged noncompliant.
One can appeal the inspector’s judgment, but the appeal process causes an addition expenditure of monies out of your pocket.
Your positive answers to few simple example questions may save you from reading the rest of the article
Please show me your practice, ASC, or covered company’s, management signed, yearly Security Risk Assessment Document.
Please show me your documented HIPAA training records for all your employee’s training sessions.
Please show me the clause in your employee manual delineating the personal consequences for non compliance.
Please show me your documented, detailed Business Continuity Plan that protects the integrity and availability of patient data when a disaster at your facility or your IT provider’s facility happens.
Please show me the document appointing a Security Officer and HIPAA Compliance Officer in your practice, ASC, covered company, or Corporate Entity.
The list of attestation elements and documents goes on but this should be enough to make my case.
For those of you that have positive answers to the above, skip the rest of the blog series and buy Medifacts anyway since we are on the same page. One caveat, these questions were only the tip of the iceberg and you may still not be compliant.
One of the main points Medifacts would like to communicate in this particular blog to the practice, ASC management or company owners is: You can’t just throw HIPAA compliance over the fence to the computer people. As you can see from the questions, there are many activities in HIPAA compliance that are personnel and company policy related.
Many medical sites and covered entities probably are, in spirit and intellectual understanding, HIPAA compliant; they just can’t prove it. One should Document –Document-Document; in some IT cases, be ready to demonstrate compliance with printed reports or screen shots; if there are ambiguities about what needs to be documented, error on the side of documenting; and if definitions get in the way error on the more expansive definitions.
In the next few blogs, through a series of questions, the compliance process will be broken down into pieces with a heavy emphasis on Business Continuity Planning and IT system HIPAA compliance. The questions will not be inclusive enough to guarantee compliance, only thought provoking. When addressing security, business health, and Business Continuity the overlap of these items will be obvious. We all are more secure if we know there are plans to not only protect data but also that we will continue to have a job or company.