Archive for February, 2010

The Government is Serious: Breach Notifications WILL be posted

Tuesday, February 23rd, 2010

The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthly list provides an insight into the organizations involved in breaches of unsecured protected health information (PHI).


Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.


Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.


More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.


Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.


Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.

Tags: , , , ,
Posted in ARRA, Encyption, HIPAA, Section 13402, breach notification | No Comments »

3 steps for breach notification protection

Tuesday, February 16th, 2010

Beginning on February 18, HHS will have the legal authority to enforce the breach notification laws set forth last year as part of section 13402 of the HITECH Act,  within the American Recovery & Reinvestment Act (ARRA). The penalties can now be up to $1.5 million and require media notification in cases where 500 or more records are breached. Business associates, as well as covered entities, must now comply with the HITECH Act breach notification rule (which essentially makes modifications to the HIPAA Security Rule).



  1. Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
  2. Create a plan on protecting PHI.
    • Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
    • Identify public facing extranet portals and web applications that can allow access to PHI.
    • Identify databases that hold PHI.
    • Execute the plan
  3. Implement data encryption where practical.
    • For databases, implement a database security product to monitor database requests and protect from intrusion.
    • For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
    • Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,


Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.

Related articles by Zemanta
Reblog this post [with Zemanta]


Tags: , ,
Posted in HIPAA, Regulation, Rulings, Section 13402, Uncategorized, breach notification | No Comments »