HIPAA

O365 Security

  • 1.  O365 Security

    Posted 06-19-2020 05:32 AM
    Hello, my health system uses Office 365 and the Intranet product called SharePoint that comes along with it.  I'm looking for reassurance regarding the use of PHI on the SharePoint platform.  We do have an appropriate BAA in place, so I know we're good there.  But my main concern is the use of PHI on SharePoint pages that do not have access controls applied to them.  In other words, if a workforce member publishes a report containing PHI on a SharePoint page that the entire workforce has access to and can view, would it technically be considered a HIPAA violation?  I'm pretty sure this breaks the Security Rule, and would have lower risks because it would only be accessible to the internal workforce, but without access controls, monitoring, etc. applied, this would essentially be a HIPAA violation that we would not want to happen.

    Please weigh in, I need some feedback about this.

    Thanks!

    ------------------------------
    Benjamin Hutchins
    Business Intelligence Analyst
    Spectrum Health System
    Grand Rapids,MI
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: O365 Security

    Posted 06-19-2020 08:01 AM
    Benjamin,
    I am not a Sharepoint expert but I have some experience using early versions. 

    Microsoft does have a Business Associate Agreement they have published publicly for Office 365 products. If you maintain your O365 access licensing through a third party vendor it may be the third party you have the BAA with. It is very important that you read and understand in fine detail what that agreement covers and what it does not. Your organization needs to have that understanding from both a legal and a technical perspective. That's step 1 but it is insufficient to ensure proper protection of your patient's PHI.

     Step 2 is to understand where and how all of your data is created, received, maintained, accessed, or transmitted (many of us use the acronym CRMAT pronounced cremate) and all the internal and external risks associated with those activities. That would be the security risk analysis as far as your use of O365 and Sharepoint are concerned. 

    Then you need to determine and document how those risks will be mitigated, abated, monitored, and controlled. That is your risk management plan. 

    Finally you need to monitor the system and the controls implemented in a what that any breaches of security are likely to be detected. 

    If you are using a third party vendor or an I.T. provider they may have all that in place.What they are not likely to have is documentation for those activities. you need to insist that the documentation is created and available to you. In the event of a security incident or breach OCR is not going to accept "Our vendor takes care of that" they are going to want you to produce your copies of the documentation showing that the vendor not only agreed to take those actions but that the actions have actually been taken. 

    Over the years I have worked with clients who have followed that advice and some that didn't. I have historically been gentle in my recommendation about dealing with vendors who were reluctant to provide the detailed documentation needed to ensure compliance. These days my perspective has changed. My personal stance is if you have a vendor who does not understand the importance of implementing and documenting the compliance activities that vendor does not understand the requirements of HIPAA and you need a new one.  

    I hope this is useful. Keep asking questions. The great thing about this group is you will get opinions when you ask for them.

    Happy Friday
    -Alex- 
    Alexander I Slosman, MHA, CHC, CHPC



    19th Annual CEI Virtual Conference


  • 3.  RE: O365 Security

    Posted 06-20-2020 07:01 AM
    This is great feedback.  Thank you Alexander.  We've done our due diligence on the legal and technicalities regarding the contractual relationship with Microsoft and their Office 365 product.  So we are good there.  My main point of emphasis that I'm looking for reassurance on is posting documents onto the O365 Sharepoint product (which serves as an internal workforce intranet).  This Sharepoint product allows the ability to create private team pages, where access controls can be put in place.  When a workforce member places a document containing PHI on a public workfoce page on the workforce intranet, at what point does is become a HIPAA Security violation?  The moment its posted, or the moment the wrong individual accesses it?

    Thanks for your help with this.

    ------------------------------
    Benjamin Hutchins
    Business Intelligence Analyst
    Spectrum Health System
    Grand Rapids,MI
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: O365 Security

    Posted 06-19-2020 08:25 AM

    I agree with Alexander's excellent reply and would like to add... Educate your workforce that if they post something to Sharepoint that contains PHI that other members do not need to see/know to do their jobs, it could possibly be a HIPAA violation (impermissible use or maybe even an breach depending on the risk assessment).  The same way that if it was an actual piece of paper with PHI on it and they physically shared it with someone who had no need to know.  Educate them to de-identify reports first!  For example, we see a quarterly Risk Management report – but the report has been de-identified so there are no patient names, medical record numbers, etc. contained in it.

     

    Cinda

     

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    19th Annual CEI Virtual Conference


  • 5.  RE: O365 Security

    Posted 06-20-2020 07:09 AM
    I am in total agreement with this, CInda.  Thank you.  This is excellent feedback.  The Sharepoint product gives the ability to create private pages if needed.  I'm pretty sure if the access controls and the content used is appropriate for the duties of who is accessing the PHI on a private Sharepoint page qualifies as being in alignment with HIPAA and appropriate use.  What I'm really trying to reassure myself on is when a private page is not used, and workforce members post PHI on for the entire workforce to access and see, that this type of activity and situation is not in alignment with HIPAA and the appropriate Security measures needed in order to comply with the law.  For the scenario where a non-private page is used, exactly at what point it is considered a HIPAA violation?  The moment its posted, or the moment the wrong individual accesses it?

    Thanks for your help with this.

    ------------------------------
    Benjamin Hutchins
    Business Intelligence Analyst
    Spectrum Health System
    Grand Rapids,MI
    ------------------------------

    19th Annual CEI Virtual Conference


  • 6.  RE: O365 Security

    Posted 06-22-2020 08:58 AM

    If it is accessible to those who would not need to see it to do their jobs, I would say the moment it's posted, the poster has committed a HIPAA violation (impermissible use). That's not exactly safeguarding/protecting the PHI, is it?

    Cinda

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    19th Annual CEI Virtual Conference