HIPAA Q&A

[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Hospital Home Health, Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com.]

Question: Does the HIPAA security rule specify how a risk analysis must be conducted?

Answer: "The security rule requires all covered entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI in its possession," says Robert W. Markette Jr., an Indianapolis attorney. "The rule does not specify how a covered entity should perform this assessment," he adds. "Frankly, even computer security experts don’t all use the same methods," Markette admits.

The goal of a risk analysis is to identify potential risks and their likelihood of occurring, he explains. "A risk assessment can be performed by hiring outside consultants or can be performed by the home health staff," Markette says. "Home health agencies will need to use their own judgment when deciding whether to handle the risk assessment on their own or to hire outside consultants," he says. The decision may depend on the agency’s individual staff resources and expertise, Markette adds.

Question: How should passwords be chosen to ensure security?

Answer: "There are a few rules of thumb for choosing passwords," says Markette. "First, do not use words from the dictionary or obvious words such as relatives’ names or pets’ names," he emphasizes. "Do not use your birth date or a relatives’ birth date," he says. Birth dates and names are easily learned and are often the first things a hacker will choose when guessing a password, he explains. "Generally, a password should be a combination of letters, numbers, and perhaps, even other ASCII characters," Markette suggests. "Of course, this is a two-edged sword," he points out. The more complicated the password, the more difficult it is for a hacker to guess; but it also is more difficult for an employee to remember, Markette explains.

Complicated passwords are of absolutely no value for security purposes if the employee writes on a Post-it note that is stuck to the computer screen, he says. There are a couple of ways you can come up with difficult-to-guess but easy-to-remember passwords, Markette continues. "You can combine somebody’s initials with the last four digits of another person’s phone number, or take the first letter from each word in an easily remembered phrase and combine it in some way with a birth date or phone number," he suggests.

For example: The phrase "hasta la vista baby" combined with the last four digits of a phone number could become any of the following:

  • alvb5543;
  • a5l5v4b3;
  • 5543alvb;
  • 5a5l4v3b.

"None of these passwords are easily guessed, but for the employee they should be simpler to remember than trgh678# or some other randomly generated password" he explains.

[For more information, contact:

Robert W. Markette Jr., Attorney-At-Law, Gilliland & Caudill, LLP, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Phone: (317) 616-3652. Fax: (317) 275-9246. E-mail: rwm@gilliland.com.]