HIPAA Security Emphasis

Prior to the end of support of Windows 7 in January 2020, many covered entities are still working to upgrade their operating system to Windows 10. We have published an article in the October issue of the Advisor® that warns of some documented security vulnerabilities within Windows 10 that must be considered in properly configuring the newer operating system. Following is a link to a whitepaper for proper configuration of Windows 10 (that was issued jointly by Microsoft and HIPAAOne) that you may share with your IT vendor or personnel: https://www.hipaaone.com/wp-content/uploads/2019/06/HIPAA-Compliance-Microsoft-Windows-10.pdf

In addition, the article describes two aspects of a Security Risk Analysis that HHS has recently emphasized. The first is in regard to an asset listing, which is generally addressed in contingency planning. While this list may be helpful in rebuilding the network/information system following a disaster, HHS emphasizes that the listing should first serve as a thorough inventory of all devices that receive, store or transmit EPHI so that appropriate security measures can be considered for each. And lastly, an asset listing will help practices with multiple locations track the location of devices.

The second item of emphasis is a recommendation from HHS that covered entities establish a business associate listing. It is recommended that any time the services of a new vendor are engaged, the practice determine whether the vendor will qualify as a business associate. If so, the business associate should be recorded in a listing, along with contact information and a description of the services the BA provides. A Business Associate Agreement must be established with such entities prior to providing access to or sending the BA any protected health information. When a covered entity is audited by the Office for Civil Rights, a business associate listing will be requested. Establishing the list prior to an audit will ensure that your practice is able to respond quickly and confidently to the request.

Please see the article in the October 2019 Advisor® for more details.