17 Oct Your Checklist for Getting Ready for HIPAA
Your Checklist for Getting Ready for HIPAA
Meet requirements without constraining workflows and impacting productivity
The HITECH Act has effected wide-ranging changes to HIPAA regulations, and the new regulations became effective September 23, 2013. These regulations force law firms that come into contact with protected health information (PHI) to enforce information security controls, protect confidential information, monitor information access, and track compliance.
Until now, the U.S. Department of Health and Human Services has been reluctant to audit or penalize law firms for lack of compliance with HIPAA data privacy and security rules, focusing instead on healthcare providers and related healthcare organizations. That has changed. For the first time, business associates, such as law firms, are directly liable for multiple provisions of HIPAA rules. If your firm does any kind of work for healthcare companies—doctors, hospitals, or pharmaceuticals—you are subject to the enhanced HIPAA regulations—and the penalties associated with them.
The requirements are basic—the impact problematic
The requirements are basic and what you would expect from any data privacy regulation: limit access to those who need access and encrypt PHI data. The question is, how do you meet these requirements without constraining workflows and impacting productivity?
For WorkSite firms, WorkSite 9 serves as a partial solution. However, it is lacking the functionality you need in two critical areas: limiting access and encrypting data when it is sent across the Internet. This best practice guide demonstrates how you can marry the strengths of WorkSite 9 with two Prosperoware products to make you HIPAA ready.
Your checklist: how to meet HIPAA security requirements
- Limit access to those who need access; Milan Confidentiality Management from Prosperoware
- Encrypt data “at rest” (stored in a variety of systems); Upgrade to WorkSite 9
- Encrypt data “in motion” as it’s sent across the Internet; Zone Secure Send from Prosperoware
- Encrypt data “in motion” as it’s sent across the network; Implement encrypted transfer in WorkSite 9
Moving to a “need to know” model
Under increased pressure from both clients and regulators to change their approach to information security, firms are now moving away from the “access for all” model to a “need to know” model. In law firms this means specifically limiting access to the team working the matter and not extending it to team members who have done other work for the client.
As firms move to the “need to know” model, they will need to limit access without creating information bottlenecks or driving frustrated users to work outside the document management system and its security controls.
Limit access with Milan Confidentiality Management
Milan Confidentiality Management from Prosperoware helps firms move to a “need to know” model without constraining workflows or impacting productivity. Milan makes it easy for small Risk teams to establish confidentiality policies and for users and the service desk to work within those policies. In Milan:
- Risk teams establish confidentiality policies, including self-service policies
- Self-service options give other users and the service desk “need-to-know” access
- Matter teams manage who has access to workspaces, folders, and subfolders
With Milan, security becomes a natural part of the workflow. It doesn’t require IT support nor does it impact productivity. Mechanisms to provide access single documents without granting access to the matter are built into the system.
Risk teams establish the policies
Today, even the largest firms have few exclusionary policies compared to their number of active matters. However, as firms evolve to the need-to know model, they will require inclusionary/exclusionary mechanisms to securely limit access.
The Policy Center in Milan Confidentiality Management makes it fast and easy for the Risk team to apply information barriers and establish standards of confidentiality to secure PHI information across a variety of applications and business scenarios. The Risk management team defines the set of policy types they want to apply in different scenarios. They define what systems are affected by these policies, whether it’s at the client and/or matter level, whether notification is required, the notification to use, and the availability and level of self-service.
Risk teams can assign one of four self-service options to the matter:
- Anyone – no approval required
- With approval of matter owner
- With approval of Risk team
- No self-service permitted
A variety of interfaces are available to grant/deny and ask for access to a matter, folder, or single document according to the designated self-service level.
- Users can request access through a command in Worksite, which sends an email request
- Users can also click on an NRL shortcut to start the process
- The approver, matter owner, or Risk team can click a link in the email to approve or deny access
- Users or approvers can also call the service desk to verbally request or grant/deny access
- The service desk grants or denies access and approves self-service requests based on the verbal approval
Matter teams manages who has access
Once a policy has been established by the Risk team in the Milan Policy Center, matter owners manage access to their matters. Milan gives the matter owner responsibility for identifying team members, managing folder structures, and keeping sensitive information confidential. Owners have the option to secure the entire matter or the option to secure some folders and not others, such as health records and client correspondence. Built-in controls keep matter teams from violating ethical walls.
- Owners have full control over their folder structures under Risk team policies
- Owners can control the security of folders and sub-folders as well as workspaces
- Owners add new team members with ease
- New team members are granted immediate, automatic access to the content they need
Encrypting data “in motion” with Zone Secure Send
To satisfy HIPAA requirements, all data need to be encrypted whether it is “at rest,” in other words stored on a system, or “in motion,” being sent across a network or the Internet. Zone Secure Send, which is integrated with Outlook, is a remote access web client that transparently converts email attachments to secure links for data being sent across the Internet. When recipients click on the link, Zone prompts a login process. Data remains secure because it stays behind the firewall.
Information governance is the business we’re in
Prosperoware has deep roots in the legal industry and information governance is our passion. We offer an integrated platform for information governance that aligns all the foundational processes that affect security and makes security part of the natural workflow.
Want to learn more about Cybersecurity & Risk Management?
Read more about Cybersecurity & Risk Management from our solution page.
Check our related articles
Until recently, globalization was a trend largely confined to big companies. Today, however, we’ve entered a new era where even small firms, recognizing the growth opportunities, are proactively broadening their global reach....01 February, 2013 No comment