This page contains a Flash digital edition of a book.
COVER STORY


“Policies and education are probably the best preventative measures,” Scara- no says. “ASCs need to have up-to-date policies in place and need to educate their people.”


These policies, he adds, should ad- dress a number of areas. “Facilities need to have a good, strong breach notification policy that, when trig- gered by a report or a suspicion of a breach, results in an investigative pro- cess. That process should be effective in determining whether, in fact, there was a breach and in taking the facil- ity through the mitigation steps that it should engage in, including the re- quired notification,” Scarano says. Habte adds, “In terms of breach no- tification policies, it’s important for pro- viders to be aware of all their reporting responsibilities under HIPAA, as well as state law reporting responsibilities


and notifications of patients if required. State law and federal law have different timelines and different definitions, so they apply differently.” HIPAA requires providers to have a


policy concerning and governing por- table media, Jenkins says. “It doesn’t say you can’t use laptops or USB drives, but if you do use a portable device, you must have a policy that explains how it should be checked in and out and the need to destroy the data when it’s no longer used.” “Many USB sticks come with en-


cryption built into them,” Clark adds. “You just have to enable it. They need to be encrypted in case they are set in the wrong spot. That should also apply to laptops and even voicemails. Most of us have our voicemails protected by a pin so a random user can’t retrieve


them. That same logic needs to apply to portable devices.” ASCs should have a security policy that addresses the specific risks that they face in their particular environ- ment, Habte says. “That extends to mobile devices, data stored in copiers, etc. It’s also important not just to have a policy but to have a policy that is ac- companied by procedures that really identify who is responsible for doing what and making sure that security is in fact adequately protected.” ASCs also need to consider and ad- dress the potential risks for breaches when working with vendors, she says. “Business associate agreements have been required for a long time, but until the breach notification rules came out, there wasn’t much liability associated with these contracts. If a business associ- ate breaches the PHI, the business asso-


14 ASC FOCUS MAY 2013


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38