HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

HIPAA security guidance for off-site use of electronic protected health information (EPHI)

January 12, 2007

CMS recently issued a HIPAA Security Guidance document on off-site use and remote access of EPHI, to assist covered entities in their compliance efforts.  As is often the case, the federales are working on closing the barn door long after the horse is out of the barn.  And what good is a policy if it’s not adhered to?  Remember last year’s VA laptop debacle?  The VA had  a policy that should have kept its employee from taking that laptop with unencrypted EPHI on over 26 million folks in the VA system off-site but apparently it was not enforced.

The guidance includes some relatively bold statements regarding the limited range of circumstances under which off-site use or access of EPHI might be appropriate, given the current prevalence of using data off-site (using PDA’s, laptops, smart phones, accessing on-site data via the internet, etc.):

  • A home health nurse collecting and accessing patient data using a PDA or laptop during a home health visit;
  • A physician accessing an e-prescribing application on a PDA, while out of the office, to respond to patient requests for refills;
  • A health plan employee transporting backup enrollee data on a media storage device, to an offsite facility.

However, the guidance immediately follows with a framework for covered entities to use in determining where they will each draw the line:

We recognize that there may be additional business cases that will require the offsite use of, or access to, EPHI. This guidance is not intended to provide a comprehensive list of applicable business cases nor does it attempt to identify all covered entity compliance scenarios. A covered entity must evaluate its own need for offsite use of, or access to, EPHI, and when deciding which security strategies to use, must consider those factors identified in § 164.306(b)(2):

“(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to [EPHI].”

Specifically, with respect to remote access to or use of EPHI, covered entities should place significant emphasis and attention on their:

  • Risk analysis and risk management strategies;
  • Policies and procedures for safeguarding EPHI;
  • Security awareness and training on the policies & procedures for safeguarding EPHI.

Working on the assumption that developing and implementing ever-more-specific compliance plans, based on ever-more-specific government guidance, will result in improved compliance and thus improved protection for EPHI, the guidance concludes with some useful checklists for covered entities’ policies and procedures, as well as cross-references to additional HIPAA resources back on the CMS website. 

CMS also admonishes:  Affected covered entities "capable of implementing all of the [recommended] strategies . . . are strongly encouraged to do so."

— David Harlow   

Related Posts

  • News of first HIPAA security audit trickles out

    While neither the federales nor the hospital in question has confirmed the story, an Atlanta…

  • HIPAA faces the music: New OCR Guidance on the HIPAA Privacy Rule and the Electronic Exchange of Health Information

    HIPAA guidance for the world that followed HIPAA (finally): HIEs, PHRs, etc., and how they…

  • Surprise! HIPAA audit!

    It appears that HHS has engaged PriceWaterhouseCoopers to perform HIPAA compliance audits at hospitals that…

Filed Under: E-Prescribing, EHR, Health Law, HIPAA, HIT, Hospitals, Physicians

« To negotiate or not to negotiate – That is the Medicare drug benefit question
Disruptive physicians and medical apologies »

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]