Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.

Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.

More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.

Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.

Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.

1. Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
2. Create a plan on protecting PHI.
   • Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
   • Identify public facing extranet portals and web applications that can allow access to PHI.
   • Identify databases that hold PHI.
   • Execute the plan
3. Implement data encryption where practical.
   • For databases, implement a database security product to monitor database requests and protect from intrusion.
   • For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
   • Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,

Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.

Related articles by Zemanta

• HITECH Act security breach rules now effective; federales give a six-month pass. Now’s the time to kick compliance efforts into high gear (healthblawg.typepad.com)
• HITECH and State Breach Notification (slideshare.net)
• Using Encryption Garners Exemption For Data Breach Notification (yro.slashdot.org)
• Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who’s Ready? (healthblawg.typepad.com)
• The Cost of Fear | Why Docs Don’t Embrace Technology (Dr. Rob) (hunscher.typepad.com)
• PGP Corporation to Announce Acquisition (newswire.ca)

BCBS goes on further to say that the data on the hard drives was “scrambled” in way that would make it difficult for others to access it. It remains to be see what “scrambled” really means.

A call is scheduled for 5:15pm on 12/30 to discuss the IFR.

WHEN: 
Today, Wednesday, Dec. 30, 2009, 5:15 p.m. – 6:00 p.m. Eastern Time

WHERE: 
Toll-Free Dial: (800) 837-1935
Conference ID: 49047605
Pass Code: HITECH

Filed under “you just can’t make this stuff up” from our friends in Lake Geneva, Wisconsin:

‘ ‘There were two nurses that independently took a picture each of an X-ray of a patient,’ Walworth County Undersheriff Kurt Picknell said.
The patient was admitted to the emergency room with an object lodged in his rectum. Police said the nurse explained she and a co-worker snapped photos when they learned it was a sex device. Police said discussion about the incident was posted on her Facebook page, but they haven’t found anyone who actually saw the pictures.”

Well, contrary to common sense one has to wonder at what point do you say to yourself, “hey, I probably shouldn’t take a picture of an X-Ray belonging to a patient and post it on Facebook”. Although its not known if the X-Ray contained protected health information (PHI), we would venture to say that posting the X-Ray is probably not a good idea. I mean they could have encrypted it!

Related articles by Zemanta

• Medics suspended over Facebook antics (guardian.co.uk)
• NHS staff suspended for playing The Lying Down Game’ (telegraph.co.uk)

As Alanis Morrissette would say “And isn’t it ironic … don’t you think”. A relative just received a breach notification letter from from Health Net.

Some wording we find interesting:

“The purpose of this letter is to inform you of a matter involving an unencrypted portable computer disk drive was discovered missing from a Health Net office”.

What’s interesting about this sentence is that they use the term “unencrypted”. So the majority of the general public does not know what this term means. However, Health Net indirectly acknowledges that the drive should have been encrypted, and perhaps they will implement encryption in their company.

Related articles by Zemanta

• Kindle users bypass copy protection and regional restrictions (geeksaresexy.net)

The House of Representatives passed the Data Accountability and Trust Act  (HR 2221) today:

“A bill to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach”

This bill essentially creates a nationwide breach notification law that requires companies who hold personal information notify people about the breach. In addition to breach notification, the bill also requires companies who store electronic personal information to establish proper security policies and establish a security policy coordinator. Personal information is defined as:

“an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

(i) Social Security number.

(ii) Driver’s license number or other State identification number.

(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

The fines are steep and could be as high as $11,000 per violation up to $5,000,000.

Notification may happen via postal mail or e-mail (if e-mail is the primary communication method and if consent to communicate via e-mail was previously given).

The Bill provides an exemption from breach notification if encryption is used. However, it also mandates that the Federal Trade Commission explore other technologies and report back to Congress 270 days after enactment. With terminology like “renders data in electronic form unreadable or indecipherable” it’s unlikely that anything other than encryption would qualify :

“(A) ENCRYPTION- The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.

(B) ADDITIONAL METHODOLOGIES OR TECHNOLOGIES- Not later than 270 days after the date of the enactment of this Act, the Commission shall, by rule pursuant to section 553 of title 5, United States Code, identify any additional security methodology or technology, other than encryption, which renders data in electronic form unreadable or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that any such methodology or technology has been or is reasonably likely to be compromised. In promulgating such a rule, the Commission shall consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies.”

Related articles by Zemanta

• Learn These Helpful Ways to Reduce Your Risk of Identity Theft (lanechase.net)
• Health Net healthcare data breach affects1.5 million (deurainfosec.com)
• Identity Theft – Do You Know What it Means to Your Financial Security? (lanechase.net)

Yes, we have found the one web site we hope you never have to visit – even the name is enough to give us the chills: Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information. Even the URL is eerily blunt: http://transparency.cit.nih.gov.

Yes, folks. If you suffer a breach you will need to report it to HHS. Interestingly, the web site is hosted by the Center for Information Technology of the National Institute of Health.

Law Blog 2.0 – Summary of 50 State Security Breach Notification Laws (scroll down to see the map)

Code: H3MQYQC7J26W