The Centers for Medicare & Medicaid Services (CMS) issued formal guidance this week for hospitals and medical practices that permit physicians and others to have off-site access to electronic personal health information (EPHI). A copy of this guidance is attached.
Warning. Though the document is styled as "guidance," in reality it is more of a warning, maybe even a shot across the bow. CMS says that there have been a number of security incidents involving laptop computers and other portable devices used to store or access electronic health data.
In this latest document, CMS offers suggestions concerning the use of such technology, but then adds that in future cases CMS may use these suggestions as a benchmark for evaluating whether a covered entity's actions have been reasonable and appropriate, as required by HIPAA.
The message between the lines is clear. In short, if your organization is allowing remote access to patient information through portable devices or through external computer systems not owned or managed by your organization, CMS will want documentary proof that you've carefully considered the risks from such access, and done everything reasonable to mitigate those risks.
The Problem. CMS is specifically concerned about organizations that allow their personnel to access or carry electronic personal health data on laptops; home-based personal computers; e-mail; PDAs and Smart Phones; public computers found in Internet Cafes, hotels, libraries or other public sites; wireless Internet portals commonly found in public buildings; USB flash drives and memory cards; floppy disks; CDs; DVDs; and similar storage devices.
What to Do. If people associated with your organization are using any of these devices to use or access patient information from off-site locations, there are three main requirements your organization must meet under HIPAA.
First, document that you as an organization have carefully considered all the relevant risk factors. The HIPAA security rules require an organization to evaluate the following factors in deciding whether and how it will allow external access to its patient data:
The size, complexity, and capabilities of the covered entity.
The covered entity's technical infrastructure, hardware, and software security capabilities.
The costs of security measures.
The probability and criticality of potential risks to patient data.
Neither HIPAA nor the just-published guidance either flatly permits or prohibits external access to patient data. Rather, organizations that decide to permit such external access need to document that they have carefully considered these factors.
Second, an organization that decides to allow external PHI access must take all reasonable steps to mitigate the risk from such access. The guidance says that remote data access is appropriate only if an entity has documented a business case for such access (after considering the factors above) and has then taken "great rigor" to ensure that appropriate policies, procedures and workforce training have been effectively deployed, and that access is provided consistent with HIPAA requirements.
The final pages of the attached guidance offer a number of risk-reducing suggestions. Among those suggestions are the following examples:
- Limiting remote use or access of data to persons whose jobs require such use or data;
- Implementing "two-factor" log-ins (so that the user needs to answer an additional question in addition to supplying a user ID and password);
- Establishing automatic time-out protocols for inactive connections;
- Personal firewall protection for laptops that store or access patient data;
- Regular use of virus protection;
- Required passwords for patient data files, and for all devices that contain or access patient data; and
- Required data encryption.
Again, while none of these suggestions are explicitly made mandatory for all providers, if your organization allows remote storage or access to patient data, you should anticipate that CMS will demand documentation showing good reasons why you declined to follow its suggestions, particularly those that involve relatively low financial cost.
Third, an organization must offer adequate training to all personnel who may carry or access patient data off-site. The attached guidance says that no amount of risk analysis and policy development is adequate if the workforce does not have an appropriate security workforce awareness and training program.
Such training must specifically address any security weaknesses associated with remote access to patient data, and must include clear and concise instructions for accessing, storing and transmitting patient data. Organizations should also include password management procedures (for changing and safeguarding passwords); remote device/media protection to reinforce policies that prohibit leaving devices/media in unattended cars or public thoroughfares; as well as training on policies prohibiting the transmission of patient data over open networks (including e-mail) or downloading patient data to public or remote computers.
If your organization permits patient data to be used or accessed off-site, it is important that you review this attached security guidance in detail. This CMS document is intended to explain and illustrate CMS's approach to security compliance. CMS will apply those standards in the future as the basis for judging whether organizations have or have not met their HIPAA obligations.
If you have any questions about this security guidance or about your organization's compliance efforts, please feel free to contact Rich Bouma (616.752.2159) or Norbert Kugele (616.752.2186).