• 1.  Password Storage Software Solutions

    Posted 05-12-2014 08:56 AM
    We have been looking at Password Storage Software solutions and have found a few good prospects; but I am wondering if anyone else has found one where the company is willing to sign a BAA.

    My IT chief and of the opinion (and I'm honestly on the fence) that even though the data is encrypted and they the company does not hold the key and they do not meet the standard definition of a BA that they still need to sign a BAA because they are storing (in their cloud) our data that allows us access to PHI.

    Anyone have thoughts on this or found an entity that is willing to sign a BAA? Obviously we'd prefer to go with a free solution if we can. FWIW, the use of a password protected excel or access file is still in play; we're just looking at all options.

    Lee Ann Atkinson BSN,CHC,CHPC
    Compliance Manager
    Fountainhead Practice Management Solutions
    Default Blank

  • 2.  RE:Password Storage Software Solutions

    Posted 05-12-2014 10:27 AM
    Hmmmm...I for one may be getting confused as I may be misreading your posting.

    Is this cloud provider storing data that is related to your password information, keys, etc...or is this cloud provider also storing PHI, encrypted or otherwise?

    Frank Ruelas
    Compliance Officer
    Gila River Health Care
    Casa Grande,AZ

    Default Blank

  • 3.  RE:Password Storage Software Solutions

    Posted 05-12-2014 11:05 AM
    We use Last Pass in many different situations.  Small offices may use all free versions or have a couple of people with the premium version that then shares information with the rest of the office using free versions.  The paid versions are as little as $12 per year.

    Larger groups are usually better off with Enterprise versions due to the central controls it allows.  This version starts at $24 per user per year.

    Two factor authentication (2FA) is also available which adds a very important layer of security.  We recommend using it as well.

    It takes a bit to get used to but once the users get the hang of it they really don't remember anything other than one or two password and everything else is stored in Last Pass.

    As to the BAA requirement, I don't require one with Last Pass. If we were storing PHI I definitely would require it but we have no need to store PHI with them.

    When OCR guidance changed concerning private key encryption and BAAs in the Omnibus last year I was very frustrated by the change and considered it overkill.  However, one point was made that has made me acquiesce to the ruling.

    If a laptop is fully encrypted but is lost it is still considered a breach once it is out of control of a CE or BA.  The breach doesn't require notification but it is a breach nonetheless.  

    Until that definition changes any time encrypted data is stored outside the control of a CE they need to have a BAA or they are in a constant breach status.  

    That being said, I still don't think it should be required if there is a reasonable contract of protection between the two parties and the keys are managed privately.  But, I don't see the definition changing any time soon if ever.

    Last Pass with 2FA makes it a very hard nut to crack since the encryption key is based on those two factors and only decrypted locally, never in the cloud.  We just make sure we instruct the users how to create a very complicated password for Last Pass accounts that isn't used for anything else in their lives.

    Donna Grindle CHPC, CHPSE
    Kardon Technology

    Default Blank