Beginning on February 18, HHS will have the legal authority to enforce the breach notification laws set forth last year as part of section 13402 of the HITECH Act, within the American Recovery & Reinvestment Act (ARRA). The penalties can now be up to $1.5 million and require media notification in cases where 500 or more records are breached. Business associates, as well as covered entities, must now comply with the HITECH Act breach notification rule (which essentially makes modifications to the HIPAA Security Rule).
Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
Create a plan on protecting PHI.
Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
Identify public facing extranet portals and web applications that can allow access to PHI.
Identify databases that hold PHI.
Execute the plan
Implement data encryption where practical.
For databases, implement a database security product to monitor database requests and protect from intrusion.
For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,
Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.
On Wednesday, December 30th, the U.S Department of Health and Human Services (HHS) released its Interim Final Rule on Meaningful use. This rule is applicable to covered entities who chose to participate in the Medicare and Medicaid EHR Incentive Programs. Essentially, healthcare providers must prove that they are using the EHRs and meet HHS’s standards of meaningful use in order to receive reimbursement for implementing the EHR system.
Stages
Stage 1 (starting in 2011): Focused on electronically capturing health information, implementing clinical decision support tools to facilitate disease and medication management, and reporting clinical quality measures and public health information. Note that in this stage electronic protected health information (PHI) is being captured and stored, and as a result, must be secured. It is this specific information that must be protected from security breaches.
Stage 2 (starting in 2013):Focused on using captured information to improve care, electronic transmission of diagnostic test results, and computerized provider order entry (CPOE).
Stage 3 (starting in 2015): Focused on decision support and improvements in quality and safety.
Role of Security & Privacy in Meaningful Use
In general, HHS has specifically included encryption as a requirement for a Certified EHR system (only Certified EHR systems are eligible for cost reimbursement). The inclusion of encryption in meaningful use is indicative of the Federal government’s recognition that encryption is a critical technology in securing protected health information (PHI).
Certified EHRs must be able to provide the patient an electronic copy of their health information upon their request. This information must be provided within 96 hours from the time the provider obtains the information, such as lab results, for example. This patient information must secured with at least a symmetric 128 bit fixed-block cipher algorithm capable of using 128, 192, or 256 bit encryption key.
Certified EHRs must protect electronic health information by implementing controls and encyption, such as:
- Assigning a unique user name for each user
- Encrypt and decrypt health information for backups, removable media, etc.
- Event recording such as deletion of records
- Audit review log
- Systems to ensure health information has not been altered using a hash algorithm
- Record disclosures made for treatment
- Ensure identity management is in place
Systems outside of Certified EHRs
As a matter of policy HHS has decided NOT to dictate standards on privacy and security in the context of meaninful use for systems other than Certified EHRs. In other words, they acknowledge that there are other systems that are part of the electronic health IT ecosystem, such as backup systems, hard drives, removable media, domain name systems (DNS), time servers (NNTP), etc. They acknowledge that these systems should be protected. However, for the purposes of the scope of the ruling they decided not to dictate standards or requirements beyond those for the actual EHR system.
HHS took the time to reiterate that using a Certified EHR “does not change existing HIPAA Privacy Rule or Security Rule requirements, guarantee compliance with those requirements, or absolve an eligible professional, eligible hospital, or other health care provider who adopts Certified EHR Technology from having to comply with any applicable provision of the HIPAA Privacy or Security Rules.
This essentially means that you must still consider the security of systems outside the Certified EHR system and, if necessary, secure these systems. Implementing a Certified EHR system does not absolve your organization from the HIPAA Privacy and Security Rules. They go on further to say:
“While the capabilities provided by Certified EHR Technology may assist an eligible professional or eligible hospital in improving their technical safeguards in order to meet some or all of the HIPAA Security Rule’s requirements or influence their risk analysis, the use of Certified EHR Technology alone does not equate to compliance with the HIPAA Privacy or Security Rules.
Make sure you look at out healthcare IT system holistically. Implementing a Certified EHR is only part of the overall security equation in your organization.
According to the Initial Set of Standards for Electronic Health Records patients must be provided with their health information (most certainly protected health information -PHI- under HIPAA) electronically and securely within 96 hours.
“Consistent with the HIT Policy Committee’s recommendations, we propose the following additional clarification of this objective. Electronic copies may be provided through a number of secure electronic methods (for example, personal health record (
Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies) within 96 hours of the information being available to the EP. Also, consistent with the HIT Policy Committee recommendations, we propose the following additional clarification of this objective. Electronic access may be provided by a number of secure electronic methods (for example, PHR, patient portal, CD, USB drive). Timely is defined as within 96 hours of the information being available to the EP either through the receipt of final lab results or a patient interaction that updates the EP’s knowledge of the patient’s health. We judge 96 hours to be a reasonable amount of time to ensure that certified EHR technology is up to date. We welcome comment on if a shorter or longer time is advantageous.”
You may be wondering how can patient information be secured. The best way to secure information is by encrypting the media. However, note that patients must be able to decrypt the information on their own computer equipment. One of the product Experior Data implements is called PGP Portable. For example, the patient provides a USB drive for you to copy the PHI onto it. PGP Portable encrypts the entire USB device after the information is copied to it. The patient must provide a passphrase during the encryption process. When the patient goes home he/she inserts the USB drive into their home computer and is prompted for the passphrase. After the passphrase is entered access to the patient information is provided.
If you intend on implementing electronic records and apply for the Electronic Health Record Incentive Program (EHRIP) you must demonstrate “meaningful use” of the electronic health record system. One of the provisions in EHRIP is information sharing. The authors of the EHRIP specifically set out to standardize on two protocols for information sharing:
Both of these technologies are know as web services. Essentially, web services provide information sharing capabilities using structured data files called XML. The purpose is to use these open standards so that applications developed by different vendors could communicate and share information.
Securing Web Services
In terms of security it is important to ensure that the transmission between applications using these web services is properly encrypted using SSL technology. In addition, considerations should be made to implement network and host intrusion prevention systems to ensure the security and integrity of the systems transmitting the shared information. For example, accepting SOAP requests will require you to set up a DMZ infrastructure. Servers sitting in the DMZ will need to accept SOAP requests and send them. It is the traffic to and from these servers, and the servers themselves, that need to be protected.
The Electronic Health Record Incentive Program spells out the proposed terms of the the reimbursements healthcare professionals and certain entities can receive by implementing electronic health records.
The Initial Set of Standards rule discusses the concept of “meaningful use”, which is a major component of the incentive program. Healthcare entities must meet certain requirements, like sharing of information and being able to capture specific information from patients.
“On October 30, 2009, the Department of Health and Human Services (HHS) issued an interim final rule pertaining to the enforcement provisions of the HI-TECH Act. The final rule serves to conform HIPAA’s enforcement regulations to the revisions to the HIPAA statutes made by the HI-TECH Act.”
…
This is the government’s way of saying “we’re made a rule, and we are now going to enforce it”. The enforcement ruling is an indicative of the federal government’s interest in protecting the privacy and identity of patients. As patient records get converted from paper to electronic security has become a very important part of the healthcare IT ecosystem.
..
Bricker and Echler, LLC go on further to say “The HI-TECH Act significantly increased the penalty amounts for HIPAA violations, as reflected in the final rule. Covered entities should understand the financial risks associated with HIPAA non-compliance and the changes to the available affirmative defenses. It is critical to have an effective HIPAA compliance program to avoid HIPAA violations and to identify and correct HIPAA violations in a timely manner, which can shield the organization from substantial financial penalties”
In a strongly-worded letter sent and signed by six congressmen to HHS SecretaryKathleen Sebelius the message was clear: remove the harm assessment that lawmakers rejected when writing the privacy regulations into ARRA. The harm standard essentially says that in case of a breach the covered entity must make an assessment of whether or not the breach can cause reputational, financial, and other types of harm. This leaves open the possibility that a covered entity could decide to act in its own interest and make the decision not to follow the directives written into the breach notification ruling.
..
There are, of course, two sides of the sword. On one hand it’s difficult to enforce a policy with subjective elements present, such as the harm assessment. It is unlikely that a covered entity would risk the substantial fines, now as high as $1.5 million, and the possibility of criminal prosecution to avoid notification in case a serious breach occurs. However, the harm assessment leaves that possibility open.
..
A drawback to removing the harm assessment is that it is possible that, ironically, that too many breach notifications are sent to people, thereby creating a “boy that cries wolf” effect. In a perfect world breaches would never happen, so there would not need to be a reason to notify people. However, we all know that not to be the reality. Breaches do occur, intentional or not. And people need to be notified as soon as possible. Should covered entities be given the privilege of deciding the severity of the harm and potentially choosing not to notify people? We shall see the next steps Congress and HHS will take.
The new breach notification guidelines go into effect on September 23rd, 2009. Even though breach notification goes into effect on 9/23/09, the Interim Rule states that civil penalties will not be imposed until February 18th, 2010. The government is aware of the ambiguity and clearly states that it has discretion on imposing sanctions for failure to provide notification in case of a breach notification for breaches occurring before 2/18/10.
..
During the 180 period between 8/2009 and 2/2010 covered entities have the perfect opportunity to review the data stored on their IT systems. The Interim Rule is concerned specifically with Data in Motion, Data in Use, Data at Rest, and Data Disposed. Experior can help determine the best plan of action to implement encryption in your IT systems to protect your organization from breach notification requirements.
The term Protected Health Information (PHI) has its roots in the term “Individually Identifiable Information” that was first used in the context of privacy regulation in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
..
HIPAA explicitly defines this Information as “…any information, including demographic information collected from an individual, that–”(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and ”(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–”(i) identifies the individual; or ”(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”
..
Protected Health Information takes that definition and applies and electronic twist to it. The Interim Final Rule on Breach Notification for Unsecured Protected Health Information on page 4 of the preamble defines protected health information as: “individually identifiable health information held or transmitted in any form or medium by HIPAA covered entities and business associates, subject to certain limited exceptions”.
An important part the interim final rule is the decision that encryption is the only acceptable technology to make protected health information (essentially, patient records) “unusable, unreadable, or indecipherable to unauthorized individuals”. The preamble to the rule explains that even though other methods (such as access control) can continue to be used, if a breach occurs and the protected health information is disclosed to unauthorized individuals a breach notification is required.
Breach notifications are essentially categorized as “under 500″ and “over 500″ records. If a breach occurred to under 500 records then covered entities must maintain a log of the breach and notify the patients. If a breach over 500 records has occurred then not only patients need to be notified but also major media outlet and HHS. In addition, a hotline must be established so that people can call and obtain more information about the breach (notification procedures are specified in the HITECH Act, Section 13402). HHS can issue fines and attorneys general of each state are empowered to pursue these types of breaches on a criminal level.
The government is clearly serious about patient record privacy to encourage covered entities to move paper records to electronic records as part of its overall healthcare reform efforts.
Copyright 2009 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.comwww.arra13402.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=3a0266f6-3270-43a7-9d5d-72d3000b6dd6)
- Encrypt and decrypt health information for backups, removable media, etc.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=6e87899c-e6e7-4f3a-9683-3d2ac9ec511b)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=76960f38-a396-49b1-bf12-c9961f5125fc)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=7993140a-f705-4f45-909d-e89dd1de5bd5)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=caa87e61-a76d-48bd-b1f5-285d46a2e078)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=0f8109dd-4181-4d3b-a3fb-759163ab8308)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f109c045-b7ee-4c5f-b033-6660b8cf7572)
