Hipaa Compliant Networking/File Sharing

[gmc8757]

I have a question, not sure this is the right forum but correct me if i'm wrong. Does anyone have any good resources for being Hipaa Compliant when it comes to file sharing? We have this one huge file share on one of our servers, and the VP would like to meet about this shares hipaa compliance.

Not everyone has permission to this share. We grant certain groups permissions, but a lot of people do have permission to the share which scares me a little. Any input on this would be great. Thanks a lot.

 

[netsysadmin]

Have you ever dealt with anything HIPAA related? If you have you will find that most of the guidelines are not solidly defined. Most of the regulations are left up to you to determine was fits your organization. Here are some basic ideas of what you need to do. You want to limit access to the least amount of permissions needed for each user to do his/her job. You also want to have auditing enabled on those folders so you can determine if someone is accessing something they shouldn't be going into. Such as a medical record that they may not need. Like if they looked up a friends info just to see what illness a person has...etc. Aside from that you need to make sure EVERYTHING is documented. Disaster recovery plan. Access to the sever rooms logs, changes to servers, surplussing of equipment.....etc. There is a ton of stuff that needs to be covered!!!

What kind of business are you? Are you a healthcare facility that may be able to tap resources from above as to what you need to do to meet the regs?

Here is some HIPPA Info and Regulations
HIPPA regulations and info

John

 

[gmc8757]

I really appreciate your post John. We're a very unique not for profit agency where we care for challenged people of all ages. We have a school, a clinic (just like a hospital), cafe's, farms, just about everything. So we do deal with healthcare and education. I've been here for 6 months and I'm very new to HIPAA regulations. Don't know much about it at all.

Documenting everything is something we need to start with. We do very little of this so far.

Anything I can tell the VP about this one share that they'll ask about? Besides that people who need access have access, those that don't need access, don't have it.

File auditing is another thing we'll have to look into. It's a very chatty thing isn't it? What's the best way to deal with this?

 

[yuppiejr]

Depending on how big your organization is you may want to hire an independent consultant & audit firm to work with you on getting the appropriate business practices in place. As John said, HIPPA "rules" are tailored to fit your individual organization and it's tolerance for risk so it's always nice to have an expert advise you through the process. Sometimes a thorough "self-audit" is adequate and sometimes a full independent assessment and certification of the results will be required.

One practice I've found seems to cross all of the various regulatory compliance initiatives we've been through lately (HIPPA, PCI, SOX, etc..) is the segregation of duties for data/system access approval. For example, a client requests access to your network share - this request should go to a business/compliance team for review and approval, then forwarded to a technical team to execute the security change. This procedurally (thought not always technically) prevents a single individual from granting access to anyone, including themselves, in the organization without appropriate oversight from a third party.

The documentation items John covered above are also common across these efforts and are important for a well run IT group to have in place. The "wait until a problem happens and deal with it" approach will not cut it in a business that deals with healthcare, credit card or other sensitive personal data that could compromise a person's privacy or lead to identity theft, fraud, etc.

 

[gmc8757]

I would like to do everything we can to be HIPPA compliant, then hire a firm to help us with the rest. We're not a huge place, but not a small one either.

I like your example of the clients request to access a network share first goes to someone else then comes to us. This is how we do it now, so the VP should like that.

Anything else I can say specific to network shares that you guys know of?

 

[netsysadmin]

gmc...I wrote our whole security design plan for our HIPAA compliance so I have had quite a bit of exposure to the HIPAA regs. I would really suggest hiring an agency from the beginning. The hardest part of HIPAA is identyfying where you fit in within the whole mess. An outside company will come in and audit everything to help you get on track. I dont think we would have ever been able to get our HIPAA plan in check without help. Fortunately I was working at a large university that helped determine what we needed to do. Even though they were basic guidelines it did help us get a place to start!

John

 

[gmc8757]

Thanks John. I think we may have to go that route. I just want to be prepared for this meeting early next week so I need to tell them where we stand now. But not really knowing or understanding the regs, it's difficult to say where we stand. There's no simple checklist of IT security for you to work from. That would be too easy!

 

[netsysadmin]

Yeah the feds basically said...this is kind of what we what you to do, but we wont give you any solid info on how to achieve it. I honestly believe nobody completely knows how to be HIPAA compliant!!:shocked:

John

 

[cmetz]

gmc8757, HIPPA is a typical government regulation. There are a bunch of requirements, not too well defined in the law and with tons of bureaucratic "clarifications" and rulings, and a constantly moving target.

If you have money, the best approach is probably to hire a HIPPA consultant, do what they tell you to do, and document, document, document. That way you can at least show a good faith effort to comply with the rules. HIPPA consultants vary wildly in competence level. After all, this is more or less computer security, and the snake oil salesmen outnumber clueful folks by a wide margin.

If you don't have money, do some reading on the web, and really look for commercial best practices with computer security. Other folks have mentioned good general rules - least privilege, make sure there's a good documented definition of how you assign privileges to people, and log as much as you can. Also be very very careful about how anything might connect to any offsite network, either the public Internet or any vendors/contractors etc.

 

[Oakenfold]

This may help you out, it's on the link that John provided you on the CMS page under security standard. HIPAA Security Guidance for Remote and Access to Electronic Protected Health Information
As others have stated there doesn't really seem to be a guide that states do x,y,z to be in compliance.

Do you have a compliance officer at work? If so you should seek guidance from them. Also if you have an audit department it may pay to have management express your concerns, there may be an even larger problem than with E-PHI. Does your company have a HIPAA policy? A HIPAA procedure? A HIPAA compliance program? Do employees receive HIPAA training?

I know these questions are not relevant to your area (assuming you work in IT) but these may indicate a larger problem that goes beyond file sharing.

 

[gmc8757]

Oakenfold, you're absolutely right. We do have a bigger issue here because I answered "no" to just about every question you asked. We don't have an officer, we don't have a policy, or procedure, and empolyees don't get trained. We'll see what the VP has to say today. Hopefully they understand it's difficult for us to know what we have to do to be compliant.

 

[netsysadmin]

Just inform the higher ups that the fines for a HIPAA violation are pretty substantial. Also most times the place that had some form of HIPAA violation will usually end in the media spotlight. Which most times will cause a severe loss of revenue and/or closing of the business. So if you weigh the fees of a HIPAA consulting group against the fines for a violation you will find that it is more economical to get your stuff straight now and not later!!

John

 

[Oakenfold]

Originally posted by: netsysadmin
Just inform the higher ups that the fines for a HIPAA violation are pretty substantial. Also most times the place that had some form of HIPAA violation will usually end in the media spotlight. Which most times will cause a severe loss of revenue and/or closing of the business. So if you weigh the fees of a HIPAA consulting group against the fines for a violation you will find that it is more economical to get your stuff straight now and not later!!

John

John you made an excellent point here and this argument alone should sell management on the buy in to get this in the budget NOW. The cost of being proactive is far less than the cost of attempting to be in compliance after the fact.

A quick google reveals this info, be advised this is from a website that is not official so take it with a grain of salt. Keyword FINE

Fines for Non-Compliance

Under "General Penalty for Failure to Comply with Requirements and Standards" of Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, Section 1176 says that the Secretary can impose fines for noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this part.

Under "Wrongful Disclosure of Individually Identifiable Health Information," Section 1177 states that a person who knowingly:

o uses or causes to be used a unique health identifier;
o obtains individually identifiable health information relating to an individual; or
o discloses individually identifiable health information to another person,

* shall be fined not more than $50,000, imprisoned not more than 1 year, or both:

* if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

* if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

As John pointed out the above only references penalties for non-compliance wherein the bigger risk may lie in reputation risk to the company which can be tremendous.
Also here's a direct link to a PDF on the Department of Health and Human Services website that goes into great length explaining PHI and HIPAA Compliance assistance. Privacy Summary Rule

Let us know how the meeting with the higher up's go.