HIPAA Q&A

[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Hospital Home Health, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com]

Question: Do the security regulations address wireless security? How does an organization make sure any of its wireless devices are in compliance with HIPAA regulations?

Answer: "The security rule does not distinguish between wireless and wired electronic transmissions," points out Robert Markette Jr., an Indianapolis-based attorney.

"You need to assess the risks associated with your wireless network in the same manner that you would assess the risks to your wired network. Obviously, the mode of attack on a wireless network can be different than an attack on a wired network," he says.

"With a wireless network, a hacker can usually sit outside of your office, such as in a parking lot, and intercept transmissions. Because the wireless transmissions are encrypted between the computer and the wireless router, a hacker needs to intercept packets of information to attempt to decrypt the transmissions," Markette explains.

"This means that the first thing you should evaluate is whether you can access your wireless network from outside of your office," he says.

"This can be done quite easily, Markette notes. "Simply take a laptop that is equipped for wireless networking and walk the exterior perimeter of your office," he says.

"Start in a place where people can be outside for a period of time without be detected such as a parking lot," Markette suggests.

Another wireless security issue to consider is employees who travel with laptops accessing electronic personal health information (EPHI) using public wireless hot spots, he points out. This is a situation in which EPHI may be transmitted in fashion with which the home health agency may not be comfortable, due to the potential for eavesdropping, Markette says.

For this reason, a home health agency may not want employees using their wireless-enabled laptops from public places or, in some cases, their homes unless the agency has tested the security of those locations.

[For more information, contact:

Robert W. Markette Jr., Attorney-At-Law, Gilliland & Caudill, LLP, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (317) 704-2400 or (800) 894-1243. Fax: (317) 704-2410. E-mail: rwm@gilliland.com]