New HIPAA rules shine light on remote access controls

March 1, 2010 — 7:44am ET | By Neil Versel

Tools

Tags
data security
Health Insurance Portability and Accountability Act (HIPAA)
privacy
encryption
Breach Notification
Remote Access
Covenant Health
Apgar and Associates

The new rules on HIPAA breach notification, which became enforceable Feb. 17, and the related, tougher penalties for privacy and security violations, mean healthcare organizations and business associates alike need to be more vigilant about data security. A common source of data breaches, and an area where hospitals need to tighten up security, some experts say, is remote access to networks.

"There is spotty, inconsistent application [of remote-access controls], especially when using personally owned computers," John Parmigiani, a security consultant who wrote the proposed HIPAA security rule, tells AIS Health's Report on Patient Privacy.

"I have had clients compliant with regards to remote access, but they are in a minority," adds Sean Lee, a senior auditor for HIPAA consulting firm Apgar and Associates. "The biggest mistake I see people making is transmitting PHI unencrypted over an open network," such as the Internet.

Covenant Health, Knoxville, Tenn., is addressing security by being selective about who is granted remote access. Those who are approved are limited in the type of data they can view remotely and receive a fob that generates a one-time password each time they log on to the network. Remote users are prohibited from downloading or printing data sent over the network, except in limited circumstances.

For more strategies to safeguard data for remote access:
- read this Report on Patient Privacy story

Post a comment

SHARE WITH: