Member Forum

1.  HIPAA Security Rules

Posted 07-14-2017 12:29


Am switching from a server based EMR to a cloud based EMR.  Do those on the cloud have any special in-house security measures etc.  An IT person is suggesting that a "windows domain" or "windows work group" is not HIPAA compliant.  Do practices have a  HIPAA security rules document in place? Does anyone know of a template? There is an article in the FPM Journal recently...looks fairly onerous....



Jim Bloomer, Exeter, NH.

2.  RE: HIPAA Security Rules

Posted 07-15-2017 17:19
Hi Jim,

Suggest you do a search on these fora on "HIPAA". HIPAA compliance means the practice followed a process to assess risk, not that they're using, or not using,  a particular product or method. CMS website is helpful, esp the FAQ for profs.

The FPM article was fairly reasonable.
If you look at it, the most common problem was the practices hadn't done a risk assessment. That's a violation.  But not using encryption (eg) is not a violation, if you've done an assessment and concluded it's more onerous than it's worth.

common problem areas with respect to Security Rule compliance:

  • Nonexistent or incomplete SRAs,

  • Lost or stolen media storage devices containing unencrypted ePHI – including laptops and thumb drives,

  • Improperly configured appointment calendars, which are publicly searchable online.

In many cases, the covered entities that have made these errors also fail to implement effective policies and procedures to detect, prevent, contain, and correct security violations."

The only weird thing with the cloud is you need a specific BAA, not just the cloud's usual security measures which are usually far in excess of what you need.  ONC has gotten weird on this, insists on a document labelled "BAA".

Peter Liepmann MD FAAFP MBA
My mission is to fix US health care
Bakersfield CA

3.  RE: HIPAA Security Rules

Posted 07-17-2017 13:20

Should have posted this rather than reply on it is.  Thanks Peter.

Hi Jim, If it's ok w you, we should put this on the public discussion board so others can benefit.  Your connection with your cloud server will be "HTTPS," not "HTTP."  HTTPS alone gives you credit-card level security in your connection.  The folks that issue a security certificate confirm the identity of the site to a more than reasonable degree, and the 'handshaking" uses public key encryption to secure your connection.  (Google ' public key encryption'.) Ask your IT guy about how much security you get with HTTPS.  It's a reasonable way of gauging how expert he is.  If he doesn't understand HTTPS gives you

  • secure encryption and
  • confirmation of the site's identity

then you absolutely need another IT person.  Seriously.   What would you think about a doctor who told you to get your appendix taken out, 'just in case'?  The risk in an HTTPS connection is orders of magnitude less. How much security do you need?  (Click the link.)

"There are various reasons for wanting to use free VPN (virtual private network) software, but the two main ones are to hide who you are, or to hide where you are. Why might you want to do either of these things? "

The important thing about the security rule is you need to do an assessment, and have it in writing.  The Hitech site has a free security risk assessment (SRA) tool that's boring but complete.   Don't overthink the process when you do it-good enough is...good enough!  The CMS site has info about email and texting, neither of which is very secure, but may be adequate.  The Signal app gives you encrypted texting.  PGP can give you encrypted email, but IMO, it's not worth the bother.  Most "secure email" poratl applications are just plain cumbersome.  You should definitely use a password manager like KeePass,    and a passphrase generator like Readable Passphrase Generator  though you can shorten the passwords for most applications.  50 bits is enough for all except banking. Read about password reuse and password crackers. Peter

Jim Bloomer