Today I received notice that the Centers for Medicare & Medicaid Services (CMS) just issued a new publication, “Security Guidance for Remote Use‚Äù which is actually dated 12/28/2006.

“This document is intended to provide HIPAA covered entities with general information on the risks and possible mitigation strategies for remote use of Electronic Protected Health Information (EPHI).”

It provides basic, common-sense recommendations for securing mobile computing devices and remote work locations.
Covered entities (CEs) should review it closely, though, since it is issued by the regulatory oversight agency for the HIPAA Security Rule. Yes, it is true that there have not been any HIPAA penalties applied…yet. However, keep in mind we have a new congress, and new pressures to safeguard all types of personally identifiable information (PII), along with getting more aggressive with regulatory enforcement. Plus, also remember that the U.S. Department of Justice is also in the picture with regard to enforcement actions, which I blogged about a few weeks ago.
The paper emphasizes some of the important basics of information security that are HIPAA requirements that, unfortunately, far too many CEs still do not follow:

“Specifically, with respect to remote access to or use of EPHI, covered entities should place significant
emphasis and attention on their:

Risk analysis and risk management strategies;

Policies and procedures for safeguarding EPHI;

Security awareness and training on the policies & procedures for safeguarding EPHI.”

It is too bad the paper is not more directive about their recommendations. It often makes that statement that CEs “are strongly urged” to do what really should MUST be done with regard to protecting PHI.
I am glad they discuss encryption as a risk management strategy for mobile computing devices containing PHI, but it still should have been required instead of offered as a “possible” strategy.

“Require that all portable or remote devices that store EPHI employ encryption technologies of the appropriate strength;”

Plus, they do not provide guidance on what they mean by “appropriate strength.” Many small to medium-sized CEs do not have dedicated information security personnel who can make the determination for what “appropriate strength” would be.
This paper certainly is a good start for a large majority of the CEs when addressing mobile and remote computing that involves PHI. However, it needs to go further to more clearly specify what actions CEs *MUST* take to adequately address the risks involved with storing PHI on mobile computing and storage devices, and accessing PHI from remote locations.

Tags: awareness and training, CMS, encryption, government, HIPAA, Information Security, IT compliance, patient privacy, policies and procedures, privacy

This entry was posted on Wednesday, January 10th, 2007 at 7:25 pm and is filed under Information Security, Laws & Regulations, Privacy and Compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.