HIPAA security guidance for off-site use of electronic protected health information (EPHI)

CMS recently issued a HIPAA Security Guidance document on off-site use and remote access of EPHI, to assist covered entities in their compliance efforts.  As is often the case, the federales are working on closing the barn door long after the horse is out of the barn.  And what good is a policy if it’s not adhered to?  Remember last year’s VA laptop debacle?  The VA had  a policy that should have kept its employee from taking that laptop with unencrypted EPHI on over 26 million folks in the VA system off-site but apparently it was not enforced.

The guidance includes some relatively bold statements regarding the limited range of circumstances under which off-site use or access of EPHI might be appropriate, given the current prevalence of using data off-site (using PDA’s, laptops, smart phones, accessing on-site data via the internet, etc.):

• A home health nurse collecting and accessing patient data using a PDA or laptop during a home health visit;
• A physician accessing an e-prescribing application on a PDA, while out of the office, to respond to patient requests for refills;
• A health plan employee transporting backup enrollee data on a media storage device, to an offsite facility.

However, the guidance immediately follows with a framework for covered entities to use in determining where they will each draw the line:

We recognize that there may be additional business cases that will require the offsite use of, or access to, EPHI. This guidance is not intended to provide a comprehensive list of applicable business cases nor does it attempt to identify all covered entity compliance scenarios. A covered entity must evaluate its own need for offsite use of, or access to, EPHI, and when deciding which security strategies to use, must consider those factors identified in § 164.306(b)(2):

“(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to [EPHI].”

Specifically, with respect to remote access to or use of EPHI, covered entities should place significant emphasis and attention on their:

• Risk analysis and risk management strategies;
• Policies and procedures for safeguarding EPHI;
• Security awareness and training on the policies & procedures for safeguarding EPHI.

Working on the assumption that developing and implementing ever-more-specific compliance plans, based on ever-more-specific government guidance, will result in improved compliance and thus improved protection for EPHI, the guidance concludes with some useful checklists for covered entities’ policies and procedures, as well as cross-references to additional HIPAA resources back on the CMS website. 

CMS also admonishes:  Affected covered entities "capable of implementing all of the [recommended] strategies . . . are strongly encouraged to do so."

— David Harlow