Using the HIPAA Security Rule to Ensure Compliance to Patient Data Standards
Healthcare continues to be an emerging target for cyber villains seeking the newest and most lucrative sources of personal identifying data in order to not just perpetrate one-time fraudulent financial transactions, but to commit identity theft. While the financial industry used to be the biggest target, much has been implemented in the industry to thwart, detect and resolve attacks and breaches. Now hackers are setting their sights on data stores housing larger sets of identifying data – patient demographics and payment information – and the healthcare industry is behind the curve on protecting patient data. Consider the following statistics:
- 89% of healthcare organizations had at least one data breach involving the loss or theft of patient data in the past 24 mos
- 45% had more than 5 breaches
- 61% of business associates had at least one data breach involving the loss or theft of patient data in the past 24 mos
- Avg total cost of a breach increased 23% in past 2 yrs
- Sophisticated cyberattacks made up 31% of 2016 HIPAA data breaches – A 300% increase in 3 yrs
Sources: Ponemon Institute Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data 2016, IBM Ponemon 2015 Cost of Data Breach Study: Global Analysis, TrapX Security 2016 Year End Healthcare Cyber Breach Report
Providers are required to abide by HIPAA laws, including the HIPAA Security Rule, intended to protect electronic protected health information (ePHI). Providers also have a duty to report breaches according to HHS requirements. The challenge is that, while regulations and requirements exist, they are not necessarily easy to interpret or to put into practice, especially for smaller physician practices that may not have the expertise or budget to implement the best protections. The best place to start is by completing a HIPAA Security Risk Assessment. Some practices may have a tech-knowledgeable staff resource to help. Others may want to consider hiring in an IT resource with experience doing this kind of assessment.
The HIPAA Security Rule at a glance
There are 5 main areas providers need to address to meet HIPAA Security Rule requirements:
- Administrative Safeguards: All of the standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions, such as policy and procedures that must be in place for management and execution of security measures. This includes the entire security management process related to the workforce, information access management, security awareness and training, contingency planning, and ensuring that Business Associate Agreements (BAAs) are in place with your vendors.
- Physical Safeguards: The Security Rule’s physical safeguards are the physical measures, policies, and procedures to protect electronic information systems, buildings, and computing equipment.
- Technical Safeguards: Standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions, such as policy and procedures that must be in place for management and execution of security measures related to access controls, audit measures, data integrity, and data transmission.
- Organizational Requirements: Organizational requirements include the standards for business associates under contract. This standard makes it an obligation for business associates to protect ePHI compliant with HIPAA, and to report violations or security incidents.
- Documentation Requirements: Documentation requirements address retention, availability and update requirements for supporting documentation such as policies, procedures, training and audits. Essentially, this means you must document everything, make it available to those impacted, and evaluate it periodically for updates.
Now that you know some of the areas a HIPAA Security Risk Assessment should cover, let’s review some best practices for security management and IT.
P: 330‐758‐8832 • F: 330‐758‐0182 ‐ 760 Boardman‐Canfield Road Boardman, OH 44512 1
December 23, 2016
MicroMD Security Features Overview
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of
minimum security standards for protecting all ePHI that a Covered Entity (CE) and Business Associate (BA)
create, receive, maintain, or transmit. The Security Rule contains the administrative, physical, and technical
safeguards that CEs and BAs must put in place to secure ePHI as outlined below
Administrative Safeguards – Administrative safeguards are administrative actions, policies, and
procedures to prevent, detect, contain, and correct security violations. Administrative safeguards
involve the selection, development, implementation, and maintenance of security measures to protect
ePHI and to manage the conduct of workforce members in relation to the protection of that
information. A central requirement is that you perform a security risk analysis that identifies and
analyzes risks to ePHI and then implement security measures to reduce the identified risks.
Physical Safeguards – These safeguards are physical measures, policies, and procedures to protect
electronic information systems and related buildings and equipment from natural and environmental
hazards and unauthorized intrusion. These safeguards are the technology and the policies and
procedures for its use that protect ePHI and control access to it.
Organizational Standards – These standards require a CE to have contracts or other arrangements with
BAs that will have access to the CE’s ePHI. The standards provide the specific criteria required for
written contracts or other arrangements.
Policies and Procedures – These standards require a CE to adopt reasonable and appropriate policies
and procedures to comply with the provisions of the Security Rule. A CE must maintain, until six years
after the date of their creation or last effective date (whichever is later), written security policies and
procedures and written records of required actions, activities, or assessments. A CE must periodically
review and update its documentation in response to environmental or organizational changes that
affect the security of ePHI.
To assist Covered Entities (CEs) and Business Associates (BAs) in meeting HIPAA Security Rule requirements to
protect sensitive ePHI and in completing HIPAA Security Rule Risk Assessments, we’ve compiled the following
information on MicroMD security, processes, policies and features related to:
ePHI encryption (Surescripts CIN & Henry Schein MicroMD Patient Portal)
Auditing functions (MicroMD PM & EMR)
Backup and recovery routines (Cloud‐based MicroMD)
Unique user IDs and strong passwords (MicroMD PM & EMR)
Role‐ or user‐based access controls (MicroMD PM & EMR)
Auto time‐out (MicroMD PM & EMR)
Emergency access (MicroMD EMR)
Amendments (MicroMD EMR)
Secure practice‐to‐patient communications (Henry Schein MicroMD Patient Portal)
Secure provider‐to‐provider email (Surescripts CIN)
P: 330‐758‐8832 • F: 330‐758‐0182 ‐ 760 Boardman‐Canfield Road Boardman, OH 44512 2
Signed BAA Required for All MicroMD Clients: MicroMD requires having a signed BAA on file with every client.
The BAA outlines joint responsibilities between the CE and MicroMD for access, usage and protection ePHI
during in the normal course of business.
Client Server Hosted MicroMD PM & EMR: If a CE using MicroMD PM and/or EMR hosts their own database on
their own network, it is the responsibility of the CE to ensure they assess, implement, test and monitor the
required administrative, physical, organizational standard and policies and procedures needed to protect ePHI
stored in and transmitted to and from their own network.
Cloud‐based MicroMD PM & EMR: In additional to the security features built in to the MicroMD PM & EMR
software, clients hosting their data in our cloud environment have additional levels of security, including:
24/7 secure data storage, access, monitoring and maintenance and 99% average uptime
Server tools including switches, firewalls, software and infrastructure support
Data disaster recovery and managed data backups
SSL 128 bit encryption
Unique logins and password for each user and audit trails for log‐in, log‐out and system access
System log‐off after a pre‐set length of inactivity
Access management through role‐based access, privileges and permissions for users and/or groups
Audit logging of failed login attempts
Specify password strength and reset requirements
Login in attempt and timed system lock out settings
Automatic lock based on established settings
Limit access to the system on established days and times
MicroMD EMR – 2014 and 2015 Edition CEHRT: MicroMD EMR was first certified by an Office of the National
Coordinator‐Authorized Certification Body (ONC‐ACB) starting with Version 7.5 in 2011 and continues to
maintain compliance in accordance with the criteria adopted by the Secretary of Health and Human Services
(HHS). 2014 Edition CEHRT for MicroMD EMR has been tested and certified to security requirements as per 2014
Edition 45 CFR 170.314 criteria. 2015 Edition CEHRT for MicroMD EMR will test and certify to security
requirements as per 2015 Edition 45 CFR 170.315 criteria below:
§170.315.d.1 Authentication Access Authorization
§170.315.d.2 Auditable Events and Tamper‐resistance
§170.315.d.3 Audit Reports
§170.315.d.5 Automatic Access Time‐Out
§170.315.d.6 Emergency Access
§170.315.d.7 End‐User Device Encryption (We don’t store the data on the end user device (computer);
data is only stored on a client’s server or in a secure Cloud server environment.
§170.315.d.9 Trusted Connection
If you have any questions about MicroMD security features, please contact Client Support:
Best Practices for Security Management:
- Learn about the HIPAA Security Rule
- Engage a security team
- Identify all ePHI access/transmission points and staff/BAs that touch ePHI
- Conduct HIPAA Security Risk Assessment
- Assign a risk level to each area
- Identify security gaps
- Prioritize gaps to address based on risk
- Create a project plan to address gaps
- Establish a budget
- Address gaps
- Engage experts to help (Legal, IT, Forensics)
- Identify and train a Security Incident Response Team
- Start addressing gaps and document fixes (Good faith effort)
- Conduct ongoing security training
- Create, document, implement and monitor adherence to policies and procedures
- Implement employee sanctions for violations
- Assign a schedule to test policies and procedures
- Monitor security adherence and systems vigilantly
- Shore up physical security
- Ensure a BAA on file with every contractor
- Consider breach insurance
IT Practices to Support HIPAA Security
- Always have a current data backup
- Consider moving to a cloud environment
- Implement data recovery tools and processes
- Configure a firewall to increase restrictions
- Boost password complexity / implement automated requirements for reset
- Immediately remove systems access for departing employees
- Use at least two factor authentication for sensitive system logins
- Grant access to 3rd parties only when needed
- Enable auditing and logging for system access – and monitor
- Upgrade hardware and software
- Regularly scan internal and external systems for vulnerabilities
- Engage IT staff to staff – Phishing!
Looking for a specialty EMR?
MicroMD EMR/EHR is flexible and can fit almost any specialty. Let us help you get back to the business of healing.
About the author,
Kristen is the general manager of Henry Schein MicroMD. She leads the operational teams that conceive, develop, launch, sell, implement, train and support the simple yet powerful MicroMD solutions.
Learn more about