Leadership
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

OCR Unveils HIPAA Hotspots

Dom Nicastro, for HealthLeaders Media, August 16, 2011

If appropriate for your organization, this may also include more sophisticated algorithms, such as comparing patient addresses and employee addresses to detect potential cases of neighbor snooping by employees, or looking for access that is unusual for a department (e.g., a labor and delivery nurse looking up a male patient).

There is no one-size-fits-all answer, but covered entities and business associates should document what options they have considered and how they concluded that their approach was reasonable.

Hotspot: Secure wireless network

The May 2011 OIG report regarding CMS oversight of the Security Rule is helpful here, highlighting a number of vulnerabilities in wireless networks that the OIG found when auditing hospitals. For example, OIG found hospitals where no authentication was required to access the network or where there was an inability to detect devices intruding on the network.

For smaller providers, it may be less complicated issues, such as ensuring that encryption is turned on, and that the administrative access to configure the access is properly password protected.

Hotspot: Management of user access and passwords

Greene: Covered entities should ensure that there are policies generally prohibiting the sharing of user IDs, systems are configured to require strong passwords when accessing higher-risk information and to require changing of default passwords, and that access to administrative accounts is closely controlled.

 

1 | 2 | 3

Comments are moderated. Please be patient.

1 comments on "OCR Unveils HIPAA Hotspots"


Mark Meade (8/16/2011 at 11:51 AM)
The Government in its crusade to protect us from evil has singled out the business community, by demanding the creation of a gargantuan beaurocracy to control PHI. While several of the ideas are worthy of consideration the whole proposal/regulation is overly burdensome, hugely expensive and wasteful of limited resources (Anybody remember MLR limits). I have yet to see effective action against the thieves who steal and use this information where the real effort needs to be. For those familiar with history, and it seems this group gets smaller all the time, this is a Maginot Line approach to keeping PHI safe which can just as easily be breached as that folly to defensive strategies was. Any wonder the economy is frozen in place with so much effort being channeled into complying with the plethora of rules and regulations pouring from our every expanding government.