The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthly list provides an insight into the organizations involved in breaches of unsecured protected health information (PHI).
Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.
Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.
More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.
Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.
Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.
Beginning on February 18, HHS will have the legal authority to enforce the breach notification laws set forth last year as part of section 13402 of the HITECH Act, within the American Recovery & Reinvestment Act (ARRA). The penalties can now be up to $1.5 million and require media notification in cases where 500 or more records are breached. Business associates, as well as covered entities, must now comply with the HITECH Act breach notification rule (which essentially makes modifications to the HIPAA Security Rule).
Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
Create a plan on protecting PHI.
Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
Identify public facing extranet portals and web applications that can allow access to PHI.
Identify databases that hold PHI.
Execute the plan
Implement data encryption where practical.
For databases, implement a database security product to monitor database requests and protect from intrusion.
For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,
Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.
Blue Cross Blue Shield of Tennessee customers will be receiving an explanation of the data breach incident, according to the Chattanooga Times Free Press.
“This week, BCBS will provide updated data to the public on exactly how many customers were exposed when 57 hard drives were pilfered in October from a storage closet at the insurer’s Eastgate Town Center branch, said company spokeswoman Mary Thompson. ‘We’ve reach a critical mass with our analysis of the information, and this week we think we can update the public,” Ms. Thompson said. “We’re going to be doing a really full breakdown of how many were potentially exposed.’”
BCBS goes on further to say that the data on the hard drives was “scrambled” in way that would make it difficult for others to access it. It remains to be see what “scrambled” really means.
Today HHS came through with its promise to issue the interim final rule to define “meaningful use”. This is an important rule and will essentially spell out the terms and conditions of the forthcoming reimbursements for implementation of electronic health records.
A call is scheduled for 5:15pm on 12/30 to discuss the IFR.
‘ ‘There were two nurses that independently took a picture each of an X-ray of a patient,’ Walworth County Undersheriff Kurt Picknell said.
The patient was admitted to the emergency room with an object lodged in his rectum. Police said the nurse explained she and a co-worker snapped photos when they learned it was a sex device. Police said discussion about the incident was posted on her Facebook page, but they haven’t found anyone who actually saw the pictures.”
Well, contrary to common sense one has to wonder at what point do you say to yourself, “hey, I probably shouldn’t take a picture of an X-Ray belonging to a patient and post it on Facebook”.Although its not known if the X-Ray contained protected health information (PHI), we would venture to say that posting the X-Ray is probably not a good idea. I mean they could have encrypted it!
“The purpose of this letter is to inform you of a matter involving an unencrypted portable computer disk drive was discovered missing from a Health Net office”.
What’s interesting about this sentence is that they use the term “unencrypted”. So the majority of the general public does not know what this term means. However, Health Net indirectly acknowledges that the drive should have been encrypted, and perhaps they will implement encryption in their company.
“A bill to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach”
This bill essentially creates a nationwide breach notification law that requires companies who hold personal information notify people about the breach. In addition to breach notification, the bill also requires companies who store electronic personal information to establish proper security policies and establish a security policy coordinator. Personal information is defined as:
“an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number or other State identification number.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”
The fines are steep and could be as high as $11,000 per violation up to $5,000,000.
Notification may happen via postal mail or e-mail (if e-mail is the primary communication method and if consent to communicate via e-mail was previously given).
The Bill provides an exemption from breach notification if encryption is used. However, it also mandates that the Federal Trade Commission explore other technologies and report back to Congress 270 days after enactment. With terminology like “renders data in electronic form unreadable or indecipherable” it’s unlikely that anything other than encryption would qualify :
“(A) ENCRYPTION- The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.
(B) ADDITIONAL METHODOLOGIES OR TECHNOLOGIES- Not later than 270 days after the date of the enactment of this Act, the Commission shall, by rule pursuant to section 553 of title 5, United States Code, identify any additional security methodology or technology, other than encryption, which renders data in electronic form unreadable or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that any such methodology or technology has been or is reasonably likely to be compromised. In promulgating such a rule, the Commission shall consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies.”
Yes, folks. If you suffer a breach you will need to report it to HHS. Interestingly, the web site is hosted by the Center for Information Technology of the National Institute of Health.
In addition to Federal breach notification laws each state has its own breach notification law. We found a great cross reference resource for you to use in case you're wondering about the breach notification laws in your state.
Copyright 2009 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.comwww.arra13402.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=3a0266f6-3270-43a7-9d5d-72d3000b6dd6)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=3ab074e6-f4ec-4b94-aaa7-00d2d879b785)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=4fecc401-3b32-4a29-8198-433ff04590b5)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=cd3a1dda-e3d4-45d3-8e21-9ed369781203)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=edf1062b-fc9f-4ed9-9b7f-d82f9a2a66ba)
