This article describes the HIPAA workforce security requirements for restricting access to protected health information. The relevant subsection of the HIPAA law is §164.308(a)(3).  Section §164.308 of the Health Insurance Portability and Accountability Act describes the required administrative safeguards for covered entities. This article explores section §164.308(a), which deals with ensuring that workforce members have appropriate (yet limited) access to protected health information. HIPAA Workforce Security “Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.” [§164.308(a)(3)] This[…]

The new HIPAA Omnibus Rule from the Department of Health and Human Services (HHS) makes some changes to the Federal Code to account for the HITECH law as well as changes since then.  This summary will be discussing changes to the Breach Notification Rule; we will also have a summary for changes to the Privacy Rule. The major change to the Breach Notification Rule is that a breach requiring notification is assumed unless : the covered entity can show (through a risk assessment) that there is a low probability that the protected health information (PHI) has been compromised, or the compromise falls under one of three exceptions to the definition of “breach”. Previously, covered entities only had to notify affected individuals if a risk[…]

While reviewing the 2013 changes to HIPAA, we came upon this interesting bit of economic impact analysis early in the document. A table is presented called “Estimated Costs of the Final Rule”. Within this table, an estimated cost is presented for Security Rule Compliance by Business Associates, expected to apply to between 200,000 and 400,000 business associates of covered entities that were not previously directly liable for HIPAA compliance. The table lists this estimated cost as between $22.6 million and $113 million. I believe this cost is not remotely realistic. Let’s do a little math to figure out these costs per organization. How about a best case scenario, where we spend the least amount of money getting the largest number of[…]

In a press release issued last week, the U.S. Department of Health and Human Services (HHS) announced a long-awaited update to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS Secretary Kathleen Sebelius gave the understatement of the year in the announcement: “Much has changed in health care since HIPAA was enacted over fifteen years ago…” Some of the most significant changes in health care have been as a result of the original requirements of HIPAA. Now everyone who has been to a medical professional is familiar with signing a consent form indicating they have seen a Notice of Privacy Practices. This update to HIPAA, which will go into effect on March 26, 2013, and require compliance by September 23, 2013, has a number of[…]

We are working with a security policy that treats two passwords of equivalent strength: 8 character password with two character sets represented (pick two of upper/lower/number/symbol) 6 character password with three character sets represented (pick three of upper/lower/number/symbol) The question arises, how equivalent (or not) are they? Well, it’s time to do some math. Total Possible Passwords One way to measure password strength is in the total number of passwords that one might be able to generate that meet that criteria. More would be better. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols available on the average keyboard (totaling 95 options). If we simply asked how many possible 6 character passwords are there, you can multiply 95 for[…]

I recently had the pleasure of performing one of the best security assessments I’ve ever done. It was great: I didn’t find any gaps. Not a one. To some people, it might come as a surprise that I’d consider that a good assessment. And I’ll admit, it made me a bit suspicious. Nothing? Seriously? Well, I had to look into why, and I’ll get to that in a moment. But let’s cover something else first. I’ve been on both sides of the table for security audits. Being audited is Not Fun. You have someone coming in, looking over all your processes, and it’s up to you to prove that you’re doing what you’re actually doing, often for reasons that seem[…]