[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Same-Day Surgery , Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: email@example.com.]
Question: Does the security rule specify how a risk analysis must be conducted?
Answer: The security rule requires all covered entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information in its possession, says Robert W. Markette Jr., an Indianapolis attorney. "The rule does not specify how a covered entity should perform this assessment," he says. "Frankly, even computer security experts don’t all use the same methods."
The goal of a risk analysis is to identify potential risks and their likelihood of occurring, he explains. A risk assessment can be performed by hiring outside consultants or can be performed by the same-day surgery staff, Markette says. "Same-day surgery programs will need to use their own judgment when deciding whether to handle the risk assessment on their own or to hire outside consultants," he says. The decision may depend on the program’s individual staff resources and expertise, he adds.
Question: How should passwords be chosen to ensure security?
Answer: There are rules of thumb for choosing passwords, Markette says.
"First, do not use words from the dictionary or obvious words such as relatives’ names or pets’ names," he emphasizes. "Do not use your birth date or a relative’s birth date," he says.
Birth dates and names are learned easily and often are the first things a hacker will choose when guessing a password, he explains.
"Generally, a password should be a combination of letters, numbers, and, perhaps, even other ASCII characters," Markette suggests. "Of course, this is a two-edged sword." The more complicated the password, the more difficult it is for a hacker to guess, but it also is more difficult for an employee to remember, he adds. Complicated passwords are of absolutely no value for security purposes if the employee writes it on a note that is stuck to the computer screen, he says.
There are a couple of ways you can come up with difficult-to-guess but easy-to-remember passwords, Markette adds. "You can combine somebody’s initials with the last four digits of another person’s phone number, or take the first letter from each word in an easily remembered phrase and combine it in some way with a birth date or phone number," he suggests. For example: The phrase "Asta la vista baby" combined with the last four digits of a phone number could become any of the following: alvb5543, a5l5v4b3, 5543alvb, 5a5l4v3b.
"None of these passwords are easily guessed, but for the employee, they should be simpler to remember than trgh678# or some other randomly generated password," he explains.
For more information on HIPAA, contact:
• Robert W. Markette Jr., Attorney at Law, Gilliland & Caudill, LLP, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Phone: (317) 616-3652. Fax: (317) 275-9246. E-mail: firstname.lastname@example.org.