publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/503802
ILTA WHITE PAPER: APRIL 2015 17 ΦΔΙΓ: TIPS ON RUSHING THE HIPAAST LAW FIRM FRATERNITY Encrypt Email and Data at Rest: While encryption is only an addressable specification of the HIPAA Security Rule, firms should consider updating information security policies to require encryption on email transmissions containing confidential client information or PHI. Many firms are also updating their DMS to encrypt data at rest. file-share housing PHI. Firms with strong knowledge management initiatives might prefer to secure PHI at the document level to leave work product available for reuse. What matters is that firms balance security with productivity, justifying and documenting their approach for possible audits. Backup Systems and Test Backups Regularly: Maintaining redundant backup systems that mirror production systems' information and security controls is a crucial component of the business continuity requirements of the HIPAA Security Rule. Backup information should be stored in a remote location, and the firm should ensure security controls are also redundant on critical systems containing PHI. Hone Incident Response Plans: Given the 60-day reporting requirement for any breaches to PHI, firms should define roles and responsibilities for incident response, including: • How firm employees report potential events • Who analyzes reported events to deem them escalated incidents • Who manages incidents • Who reports incidents to external parties Conduct a Risk Analysis/Assessment on Systems Containing PHI: A key first step to complying with the HIPAA Security Rule is to conduct a thorough risk assessment of threats and vulnerabilities to the confidentiality, integrity and availability of electronic PHI within firm systems. There are multiple risk assessment methodologies available to help structure the assessment, including ISO 27005 and NIST Special Publication 800-30. Risk assessment results will help the firm prioritize remediation activities and guide compliance efforts. Define and Implement an Access Control Approach: Most law firms struggle to satisfy the "minimum necessary" requirement of the HIPAA Privacy Rule because they have traditionally granted lawyers and staff open-by-default access to documents saved to the DMS and other information repositories. The "minimum necessary" standard, by contrast, requires that firms make reasonable efforts to restrict access to PHI to those who need it to perform a given function. But reasonability varies with firm size, budget and culture. Some firms require that all PHI be stored on the DMS, locking down information at the matter level and restricting access to matter teams. Others could discover that most PHI reside in one practice group; for them, it might be best to implement a role-based access control strategy where select practice group members have access to a secure What's the Difference Between Addressable and Required Specifications? According to the hhs.gov website, if an implementation specification is described as "required," the specification must be implemented. "Addressable" implementation specifications provide covered entities additional flexibility. They can: Implement the specifications Implement one or more alternative security measures to accomplish the same purpose Neither If choosing option "c," your firm must document the decision, noting whether the addressable specification is a reasonable security measure to apply within your security framework.