Protecting Health Information: Are You in Federal Compliance?

By Richard Dwyer

Most Member Groups of New Hampshire Local Government Center (LGC) HealthTrust are familiar with federal legislation known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While this law is best known for its privacy provisions regarding Protected Health Information (PHI), subsequent regulation enhancements by the Centers for Medicare and Medicaid Services (CMS) have addressed electronic storage of PHI.

At LGC, we realize that most of our Member Groups do not collect or maintain PHI at their offices. However, many schools and some municipalities do provide nursing services or assist people in paying medical expenses. The security and privacy provisions of HIPAA regulate such activities. So, a review of how to apply such provisions to related circumstances and confidential material is warranted.

Below is a list of security matters that LGC HealthTrust Member Groups should address in storing and maintaining protected information.

HIPAA-Related Security Concerns

Establishing and terminating user access to systems housing electronic patient health information (ePHI)
How/when do you train new employees about PHI and then shut off their PHI access when they terminate employment? How often do you require a change in computer passwords (for example, on an ongoing basis)?

Inactive computer sessions (periods of inactivity)
Do your computer screens go blank when they are not used for a while so employee information is never displayed at an unattended computer? How long before the blank screen comes on? (Note: CMS does not specify how to comply with its ePHI requirements but does state that employer groups must have related policies actively in place.)

Recording and examining activity in information systems that contain or use ePHI
Many hospitals have tracking systems that identify each person who examines a patient’s record. Such oversight may not be appropriate for schools or municipalities. However, you may want to monitor who is accessing your financial data or other areas you wish to protect.

Employee violations (sanctions)
You should have a policy in place before your first infraction. Examples of sanctions can be verbal/written reprimands, letters in personnel files or dismissal. Consider organizing a standing committee to investigate violations and make recommendations for sanctions.

Electronically transmitting ePHI
At LGC, PHI policy forbids mention of a medical diagnosis, medical procedure or Social Security Number in the body of an e-mail. All such PHI can only be cited in a Microsoft Word or Excel file for attachment to the e-mail. Fax machines can also be used to transmit PHI as long as the receiving fax is not in a public area.

Preventing, detecting, containing and correcting security violations (incident reports) Take active measures to stop infractions from happening and to correct problems. Remember: you get what you inspect, not what you expect.

Physical access to electronic information systems and the facility that houses them
Make sure that there are physical barriers (doors, locks, shielded windows) to prevent easy access to where you house your servers and storage devices. Also, ensure that computer monitors displaying sensitive information are not easily seen by a casual observer.

Establishing security access controls
Establish a hierarchy of access so that only a few people can see all of your data and others see the minimum necessary to do their own job.

Remote access activity, for example, network infrastructure, platform, access servers, and authentication and encryption software
If you allow remote computer access to work-related files (especially on Internet-based applications), make sure you can block computer hackers and intruders.

Wireless security (transmission and usage)
If employees have a Personal Digital Assistant (such as a BlackBerry® enabled device) with files or e-mail containing PHI, should you require password protection for each use in case the device is lost or stolen?

Documenting what you have and making everyone aware
Publish your information security guidelines and train personnel to comply with them.

A final reminder for Member Groups that have LGC HealthTrust’s Self-Funded Plus program or self insure a high-deductible portion of their health coverage and have their employees submit receipts for reimbursement: Your group is considered a covered entity; therefore, you must adhere to all HIPAA requirements related to privacy and security.

Richard Dwyer is Operations Manager at the New Hampshire Local Government Center.