HHS SPI (SECURITY AND PRIVACY INITIAL INQUIRY)
Section C of the Security and Privacy Initial Inquiry (SPI) deals with your electronic systems. If your business DOES NOT store, access, or transmit Texas HHS Confidential Information in electronic systems (e.g., laptop, personal use computer, mobile device, database, server, etc.) you simply check off the box labeled “No Electronic Systems”, and “YES” will be entered for all questions in this section. HOWEVER we believe this is a huge red flag for any auditing agency or other regulatory body. Almost no one operates without an electronic device so think long and hard before you check this box off. Section C also has a whole new question 19 that we’ll address in this blog.
Section D is simply the signature portion which can be digitally signed. It also contains instructions for emailing the completed SPI to the provider’s Texas HHS Contact Manager(s). However most Providers don’t know or have the email address (or other contact information) for their Contact Manager. Also since the SPI is now considered Attachment 2 of the DUA and the DUA that has to be mailed in as a hardcopy it seems sensible to print the SPI off and attach it to the DUA and post the whole package together. It might also be a good idea to have the package tracked so you have evidence of delivery if you can. We will not address section D again.
We must point out that anyone reading any of our blogs/articles (including those relating to the SPI and DUA series) is strongly advised to read the root documents for themselves. As a separate service Focused Software also offers help with answering your regulatory questions – just give us a call!
For any questions answered “No,” an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date the SPI form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the SPI is signed.
Please print off a copy of the SPI so you can refer to the questions as we go along.
Question C19 is a whole new question that deals with the new Texas Cybersecurity Act, data vulnerability and penetration testing.
C1.
Discussion: If a provider wishes to access, create, disclose, receive, transmit, maintain, or store Texas HHS CI outside of the USA then they should first ascertain that all technical requirements given in C1 are met (and you should be able to provide corroborating written evidence thereof) at the time express written permission is sought from HHS. Both SPI B1k and C1 requirements must be met BEFORE the offshore handling of Texas HHS CI starts. As we discussed in our previous blog (SPI Section A question B1k) getting express written permission from Texas HHS for this offshore handling of CI is likely to be difficult if the IDD service provider/corporation is based in the US (please see the discussion of 1Bk for more details). If you trust Focused Software with your electronic documentation needs, you can answer ‘Yes’ with confidence! Focused Software servers are maintained in the US and in complete compliance.
C2.
Discussion: Yes – the state realizes that you signed up to provide care for your clients not as IT consultants. However it still expects you to have an IT security‐knowledgeable person or company to maintain or oversee the configurations of your computer systems and devices. This person will usually have a background and experience in IT. If you use Focused Software then we keep up to date with software configurations for your EHR. Regarding hardware, upon request, we can have our vetted partners reach out and help you get your PCs, laptops, tablets and even phones up to code. Focused also offers Privacy Officer consulting services that come with free in-service training and assessments. Our partners offer contracted Information Technology Security Official consulting services. Just ask!
C3.
Discussion: Each EHR should have process that guides administrators through registering employees who will have access to confidential information (CI). Providers should carefully consider the duties each employee performs (ie their ‘Authorized Purpose’) and have a formal process that only grants employees access to CI needed to perform those duties. Employees with access to CI must also be registered Authorized Users).
C4.
Discussion: Strong passwords (requiring a minimum of 8 characters with a combination of uppercase, lowercase, special characters, and numerals) are an essential part of data protection. For Focused Software clients the issuance of unique usernames, passwords, credential access and branch/contract restriction is part and parcel of the formal employee registration process. It is mandatory that upon request each company must be able to provide evidence such as a screen shot or a system report. This is easily done with Focused! If you get a request from HHS for evidence just ask – we’re here for you!
C5.
Discussion: All staff who access CI (including direct support staff, occasional sub-contractors, volunteers, host home carers and students) must have unique user names and passwords. Again this is super easy with Focused as all of your employees can be registered (inactive) in the system at no extra cost. So whether they access the system a lot or a little it doesn’t matter. Whenever they need access to the system, they’ll be registered; you simply activate their profile and they’re ready to go!
C6.
Discussion: Again Focused has you covered. Our EHR automatically locks users out after 5 failed attempts and forces a fresh login after 15 minutes of inactivity.
C7.
Discussion: It’s a non-brainer that remote access to your EHR be restricted however is the data sufficiently encrypted while being transmitted as well as stored? This includes FIPS 140‐2 validated encryption that is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (CJIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS) data.
Focused EHR not only encrypts your data but you can restrict certain staff to only accessing client data on-site. Once they leave the company premises all access is denied! How awesome is that?!
C8.
Discussion: It is mandatory that you set the security configurations for all computers and systems that access or store Texas HHS Confidential Information such that non‐essential features/services (for example games, social media sites) are removed or disabled to reduce the threat of breach and to limit exploitation opportunities for hackers or intruders, etc. Don’t forget to secure your printers and third party software so that recently created files are not easily retrievable. If you don’t know how to do this or just don’t have the time our vetted managed network partners will work with you to recommend computer security configurations and systems that are up to code.
C9.
Discussion: This is mostly about common sense practical efforts to protect CI/PHI such as limiting access by non-Authorized personnel to your sensitive work areas, locking office cabinets and doors that contain laptops, tablets and paperwork. A frequently forgotten opportunity is always lock your laptops and handbags/briefcases in the trunk of the car when you leave. Most cases of theft are simply spur of the moment decisions made by the thief – they won’t steal what they can’t see!
C10 and C11.
Discussion: Almost all providers transmit data via the internet and store CI on electronic devices therefore encryption is required for their client’s CI. Focused Software client’s CI is securely encrypted while in transit and our vetted partners will assist you and your team in ensuring that all of your hardware is up to code. Remember that the use of usernames, passwords and biometric technology (such as fingerprint authentication) to access hardware, email and other services is also essential. You may be asked by HHS to provide evidence of such encryption and you guessed it again – Focused is happy to help if this occurs! Remember, FIPS 140‐2 validated encryption is required for different types of HHS CI.
C12.
Discussion: This question concerns the practical application of the ‘Authorized Users’ policies and procedures addressed in our previous SPI section A blog. Your answers across these 4 questions (A1a, A1g, A1h and C12) should be consistent. Us e Focused Software’s online completely paperless in-service features to have your staff formally acknowledge having received the rules and reviewed the systems outlining their responsibilities for protecting Texas HHS Confidential Information before their access is provided.
C13.
Discussion: Performing criminal background checks on your staff protects both you and your clients. Keep track of background checks, personnel requirements, copies of credentials/documents as well as set expiration reminders for things like OIG checks and much more with Focused Software’s personnel checklist feature.
C14.
Discussion: Providers are expected to make sure that all subcontractors handle client information as carefully as they would. As evidence of this you must get all subcontractors to sign a legal document attesting to the fact that they understand their responsibilities regarding CI/PHI and agree to be bound by the relevant regulations. Attachment 1 of the Data Use Agreement (DUA) is a subcontractor agreement created by Texas HHS that contains all of the clauses listed in question C14. So if you are a provider based in Texas whenever possible have your subcontractor(s) sign the Texas HHS subcontractor Agreement. Some companies refuse to sign any data use agreements other than their own. However Focused Software is happy to sign the state DUA Attachment 1 for its clients.
C15, C16 and C17.
Discussion: Providers are expected to keep current security updates/patches (including firmware, software and applications), up‐to‐date anti‐malware and antivirus protection and review the security logs of their computing systems that are used for CI. Focused Software does a lot of this for you automatically via our software and our vetted partners will keep your hardware up to code upon request.
C18.
Discussion: The correct disposal of CI/PHI is as important as its storage and transmission. Believe it or not there is a correct way to irretrievably dispose of electronic CI/PHI. Make sure that you know what this is and how to do it. Or just ask us! When necessary Focused Software disposes and destroys CI in accordance with required HIPAA law.
C19.
Discussion: Texas providers must ensure that all public facing websites and mobile applications containing Texas HHS Confidential Information meet security testing standards set forth within the Texas Government Code (TGC), Section 2054.516. It stems from the Texas Cybersecurity Act passed in 2017. Contractors are being held accountable for compliance with this requirement as a part of their contract deliverables.
This simply means that providers must ensure that the subcontractors that supply them with public facing websites or mobile applications also maintain these standards. This new requirement is extremely involved and cannot be adequately addressed in four blog posts let alone a small section of one blog! You’ll probably need an IT background to fully understand the requirements; this is even before attempting to implement them! Your appropriate subcontractor should be able to help you answer any questions you may have. As always Focused Software is here to help you say – yes!
Some of the items covered in the Cybersecurity Act include code creation and review, server and website security, password strength and policy as well as data access right restrictions amongst other requirements. Focused clients can call for more additional details or for even more information regarding TGC, Section 2054.516 DATA SECURITY PLAN FOR ONLINE AND MOBILE APPLICATIONS, please refer to: https://legiscan.com/TX/text/HB8/2017
Stay tuned – remember Focused Software is here for you! Next week’s blog will cover OIG employee checks. Contact us today – we’ll be happy to provide a free, no-obligation demonstration of the Focused Software Electronic Health Record, discuss provider operations and brainstorm with you so you can discover how FS can help you easily comply with federal and state requirements.
Photographs: Nasa (Gulf of Mexico From Space); Mohamed Hassan (Man with tablet)