HIPAA Regulatory Alert

HIPAA Q&A

Question: Does the security rule specify how a risk analysis must be conducted?

Answer: The security rule requires all covered entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information in its possession, says Robert W. Markette Jr., an Indianapolis attorney. "The rule does not specify how a covered entity should perform this assessment," he says. "Frankly, even computer security experts don’t all use the same methods."

The goal of a risk analysis is to identify potential risks and their likelihood of occurring, he explains. A risk assessment can be performed by hiring outside consultants or can be performed by the surgery staff, Markette says. "Programs will need to use their own judgment when deciding whether to handle the risk assessment on their own or to hire outside consultants." The decision may depend on the program’s individual staff resources and expertise, he adds.

Question: How should passwords be chosen to ensure security?

Answer: There are rules of thumb for choosing passwords, Markette says.

"First, do not use words from the dictionary or obvious words such as relatives’ names or pets’ names," he emphasizes. "Do not use your birth date or a relative’s birth date," he says.

Birth dates and names are learned easily and often are the first things a hacker will choose when guessing a password, he explains. "Generally, a password should be a combination of letters, numbers, and, perhaps, even other ASCII characters," Markette suggests. "Of course, this is a two-edged sword." The more complicated the password, the more difficult it is for a hacker to guess, but it also is more difficult for an employee to remember, he adds. Complicated passwords are of absolutely no value for security purposes if the employee writes it on a note that is stuck to the computer screen, he says.

There are a couple of ways you can come up with difficult-to-guess but easy-to-remember passwords, Markette adds. "You can combine somebody’s initials with the last four digits of another person’s phone number, or take the first letter from each word in an easily remembered phrase and combine it in some way with a birth date or phone number," he suggests. For example: The phrase "Asta la vista baby" combined with the last four digits of a phone number could become any of the following: alvb5543, a5l5v4b3, 5543alvb, 5a5l4v3b. "None of these passwords are easily guessed, but for the employee, they should be simpler to remember than trgh678# or some other randomly generated password," he explains.

Question: Can a home health agency post thank-you letters from patients on a bulletin board that can be seen by staff and other patients?

Answer: "In my opinion, they cannot post the letters unless the letters are de-identified so they no longer constitute protected health information," Gilliland says. "De-identification" is a process under the privacy rule by which health information is made to no longer be individually identifiable. "Typically, it requires removing all of 18 identifiers stated in the privacy rule including names, geographic subdivisions smaller than a state, most zip codes, telephone numbers, and medical record numbers," he says.