Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.

Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.

More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.

Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.

Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.

1. Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
2. Create a plan on protecting PHI.
   • Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
   • Identify public facing extranet portals and web applications that can allow access to PHI.
   • Identify databases that hold PHI.
   • Execute the plan
3. Implement data encryption where practical.
   • For databases, implement a database security product to monitor database requests and protect from intrusion.
   • For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
   • Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,

Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.

Related articles by Zemanta

• HITECH Act security breach rules now effective; federales give a six-month pass. Now’s the time to kick compliance efforts into high gear (healthblawg.typepad.com)
• HITECH and State Breach Notification (slideshare.net)
• Using Encryption Garners Exemption For Data Breach Notification (yro.slashdot.org)
• Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who’s Ready? (healthblawg.typepad.com)
• The Cost of Fear | Why Docs Don’t Embrace Technology (Dr. Rob) (hunscher.typepad.com)
• PGP Corporation to Announce Acquisition (newswire.ca)

Customers can now use PGP Universal Server to centrally manage encryption for their multi-platform environment. A single web-based user interface can be used to manage encryption end points using Microsoft Windows, Apple Mac, Red Hat Linux, and Ubuntu Linux. PGP is the only encryption vendor that delivers encryption solutions across multiple platforms. Multi-platform support is especially important with the popularity of netbooks, and the forthcoming Apple tablet device, which is reported to be using the Mac OSX operating system.

PGP also added functionality for e-mail encryption in Microsoft Outlook. Using Microsoft Outlook users can now click “sign and encrypt” buttons to automatically encrypt emails.

Experior Data is a PGP SILVER Partner and helps organizations implement data encryption solutions.

More information about these new releases is available on the PGP web site.

- Whole disk encryption is clearly needed for mobile devices

- Whole disk encryption protects data when computers are TURNED OFF. This means that while you’re using the laptop the data is in use, and is not encrypted.

- Additional levels of data protection is needed to protected the data while computers are in use. For example, critical data files should be encrypted automatically regardless of whether the computer is turned on or off. Whole disk encryption does not do this.

- Files containing PHI that are transferred on a network need to be encrypted. Whole disk encryption does not do this.

- What about e-mails containing PHI? More importantly, what about those that use Microsoft Outlook and store data in archive (.pst) files?

So why is whole disk encryption not enough? What happens if a worm invades your computer and transfers documents of a certain file type to a remote location. Whole disk encryption will not help you in this situation.

It’s important for any encryption solution to not only encrypt the hard drive but also to encrypted files on the hard drive so that they remain encrypted while the computer is on.

BCBS goes on further to say that the data on the hard drives was “scrambled” in way that would make it difficult for others to access it. It remains to be see what “scrambled” really means.

On Wednesday, December 30th, the U.S Department of Health and Human Services (HHS) released its Interim Final Rule on Meaningful use. This rule is applicable to covered entities who chose to participate in the Medicare and Medicaid EHR Incentive Programs. Essentially, healthcare providers must prove that they are using the EHRs and meet HHS’s standards of meaningful use in order to receive reimbursement for implementing the EHR system.

Stages

Stage 1 (starting in 2011):  Focused on electronically capturing health information, implementing clinical decision support tools to facilitate disease and medication management, and reporting clinical quality measures and public health information. Note that in this stage electronic protected health information (PHI) is being captured and stored, and as a result, must be secured. It is this specific information that must be protected from security breaches.

Stage 2 (starting in 2013): Focused on using captured information to improve care, electronic transmission of diagnostic test results, and computerized provider order entry (CPOE).

Stage 3 (starting in 2015): Focused on decision support and improvements in quality and safety.

Role of Security & Privacy in Meaningful Use

In general, HHS has specifically included encryption as a requirement for a Certified EHR system (only Certified EHR systems are eligible for cost reimbursement). The inclusion of encryption in meaningful use is indicative of the Federal government’s recognition that encryption is a critical technology in securing protected health information (PHI).

Certified EHRs must be able to provide the patient an electronic copy of their health information upon their request. This information must be provided within 96 hours from the time the provider obtains the information, such as lab results, for example. This patient information must secured with at least a symmetric 128 bit fixed-block cipher algorithm capable of using 128, 192, or 256 bit encryption key.

Certified EHRs must protect electronic health information by implementing controls and encyption, such as:

- Assigning a unique user name for each user

- Encrypt and decrypt health information for backups, removable media, etc.

- Event recording such as deletion of records

- Audit review log

- Systems to ensure health information has not been altered using a hash algorithm

- Record disclosures made for treatment

- Ensure identity management is in place

Systems outside of Certified EHRs

As a matter of policy HHS has decided NOT to dictate standards on privacy and security in the context of meaninful use for systems other than Certified EHRs. In other words, they acknowledge that there are other systems that are part of the electronic health IT ecosystem, such as backup systems, hard drives, removable media,  domain name systems (DNS), time servers (NNTP), etc. They acknowledge that these systems should be protected. However, for the purposes of the scope of the ruling they decided not to dictate standards or requirements beyond those for the actual EHR system.

Application of HIPAA Privacy and Security Rule

HHS took the time to reiterate that using a Certified EHR “does not change existing HIPAA Privacy Rule or Security Rule requirements, guarantee compliance with those requirements, or absolve an eligible professional, eligible hospital, or other health care provider who adopts Certified EHR Technology from having to comply with any applicable provision of the HIPAA Privacy or Security Rules.

This essentially means that you must still consider the security of systems outside the Certified EHR system and, if necessary, secure these systems. Implementing a Certified EHR system does not absolve your organization from the HIPAA Privacy and Security Rules. They go on further to say:

“While the capabilities provided by Certified EHR Technology may assist an eligible professional or eligible hospital in improving their technical safeguards in order to meet some or all of the HIPAA Security Rule’s requirements or influence their risk analysis, the use of Certified EHR Technology alone does not equate to compliance with the HIPAA Privacy or Security Rules.

Make sure you look at out healthcare IT system holistically. Implementing a Certified EHR is only part of the overall security equation in your organization.

Related articles by Zemanta

• CMS and ONC Issue Rules on Proposing a Definition of Meaningful Use and Setting Standards for EHR Incentive Program (healthcarebloglaw.blogspot.com)
• Son of HIPAA Breach Notification Rules (healthblawg.typepad.com)
• Medicare officials plan for health stimulus funds (seattletimes.nwsource.com)
• Switch To Electronic Health Records Could Miss Federal Targets (huffingtonpost.com)
• Cms Proposes Definition of Meaningful Use of Certified Electronic Health Records (ehr) Technology (healthmgmtrx.blogspot.com)
• Meaningful Use 556 Page Proposed Rule is Out – Thanks WSJ for the Shortcut to the Meat and Potatoes (ducknetweb.blogspot.com)
• HIPAA and business associate (deurainfosec.com)
• Here’s the rule for meaningful use (clinicalit.blogspot.com)
• Meaningful Use Rules Hit the Streets (chilmarkresearch.com)
• ONCHIT Releases Preliminary Definition of Meaningful Use (histalk2.com)
• Further Clarifications of “Meaningful Use” Are Needed (projecthealthdesign.typepad.com)

According to the Initial Set of Standards for Electronic Health Records patients must be provided with their health information (most certainly protected health information -PHI- under HIPAA) electronically and securely within 96 hours.

How to Secure Health Records

You may be wondering how can patient information be secured. The best way to secure information is by encrypting the media. However, note that patients must be able to decrypt the information on their own computer equipment. One of the product Experior Data implements is called PGP Portable. For example, the patient provides a USB drive for you to copy the PHI onto it. PGP Portable encrypts the entire USB device after the information is copied to it. The patient must provide a passphrase during the encryption process. When the patient goes home he/she inserts the USB drive into their home computer and is prompted for the passphrase. After the passphrase is entered access to the patient information is provided.

Related articles by Zemanta

• HIEs are Beginning to Link Patients Directly to their Own Health Data (projecthealthdesign.typepad.com)
• Pushing ONC to Act on Consumer’s Behalf (chilmarkresearch.com)
• Medfusion Maintains Leadership in Patient Portal Performance (medicineandtechnology.com)
• How to Get $20 Billion for Using Electronic Medical Records (blogs.wsj.com)

Web Services At Forefront

If you intend on implementing electronic records and apply for the Electronic Health Record Incentive Program (EHRIP) you must demonstrate “meaningful use” of the electronic health record system. One of the provisions in EHRIP is information sharing. The authors of the EHRIP specifically set out to standardize on two protocols for information sharing:

• SOAP
• REST

Both of these technologies are know as web services. Essentially, web services provide information sharing capabilities using structured data files called XML. The purpose is to use these open standards so that applications developed by different vendors could communicate and share information.

Securing Web Services

In terms of security it is important to ensure that the transmission between applications using these web services is properly encrypted using SSL technology. In addition, considerations should be made to implement network and host intrusion prevention systems to ensure the security and integrity of the systems transmitting the shared information. For example, accepting SOAP requests will require you to set  up a DMZ infrastructure. Servers sitting in the DMZ will need to accept SOAP requests and send them. It is the traffic to and from these servers, and the servers themselves, that need to be protected.

Related articles by Zemanta

• Web Services Hacking And Hardening (slideshare.net)
• The XML Security Relay Race (devcentral.f5.com)
• Health IT Buzz – HHS Launches Healthcare Blog to Communicate with Dr. Blumenthal (ducknetweb.blogspot.com)
• Here’s the rule for meaningful use (clinicalit.blogspot.com)

With $20 billion at stake the Federal government released two interim rules:

• Medicare and Medicaid Programs; Electronic Health Record Incentive Program
• Standards & Certification Interim Final Rule: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology

The Electronic Health Record Incentive Program spells out the proposed terms of the the reimbursements healthcare professionals and certain entities can receive by implementing electronic health records.

The Initial Set of Standards rule discusses the concept of “meaningful use”, which is a major component of the incentive program. Healthcare entities must meet certain requirements, like sharing of information and being able to capture specific information from patients.

Related articles by Zemanta

• Medicare officials plan for health stimulus funds (seattletimes.nwsource.com)
• Switch To Electronic Health Records Could Miss Federal Targets (huffingtonpost.com)
• Meaningful Use 556 Page Proposed Rule is Out – Thanks WSJ for the Shortcut to the Meat and Potatoes (ducknetweb.blogspot.com)
• Here’s the rule for meaningful use (clinicalit.blogspot.com)
• How to Get $20 Billion for Using Electronic Medical Records (blogs.wsj.com)
• Health IT Buzz – HHS Launches Healthcare Blog to Communicate with Dr. Blumenthal (ducknetweb.blogspot.com)

A call is scheduled for 5:15pm on 12/30 to discuss the IFR.

WHEN: 
Today, Wednesday, Dec. 30, 2009, 5:15 p.m. – 6:00 p.m. Eastern Time

WHERE: 
Toll-Free Dial: (800) 837-1935
Conference ID: 49047605
Pass Code: HITECH