Avoid Breach Notification - Experior helps PHI Encryption » ARRA

Healthleaders Media Predicts Strict Enforcement of ARRA and HITECH Act

admin — Tue, 08 Dec 2009 05:16:34 +0000

"As for enforcement, Congress promised in ARRA "periodic audits" to ensure HIPAA compliance. Government officials told HealthLeaders Media in September they weren't sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010."

Sounds like 2009 was the year of the healthcare law revisions. 2010 looks like it may be the year of enforcement.

Breach notification goes into effect on September 23, 2009

admin — Thu, 03 Sep 2009 03:50:52 +0000

The new breach notification guidelines go into effect on September 23rd, 2009. Even though breach notification goes into effect on 9/23/09, the Interim Rule states that civil penalties will not be imposed until February 18th, 2010. The government is aware of the ambiguity and clearly states that it has discretion on imposing sanctions for failure to provide notification in case of a breach notification for breaches occurring before 2/18/10.

During the 180 period between 8/2009 and 2/2010 covered entities have the perfect opportunity to review the data stored on their IT systems. The Interim Rule is concerned specifically with Data in Motion, Data in Use, Data at Rest, and Data Disposed. Experior can help determine the best plan of action to implement encryption in your IT systems to protect your organization from breach notification requirements.

Protected Health Information – What is it?

admin — Tue, 25 Aug 2009 03:54:58 +0000

The term Protected Health Information (PHI) has its roots in the term “Individually Identifiable Information” that was first used in the context of privacy regulation in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

..
HIPAA explicitly defines this Information as “…any information, including demographic information collected from an individual, that–”(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and ”(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–”(i) identifies the individual; or ”(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

Protected Health Information takes that definition and applies and electronic twist to it. The Interim Final Rule on Breach Notification for Unsecured Protected Health Information on page 4 of the preamble defines protected health information as: “individually identifiable health information held or transmitted in any form or medium by HIPAA covered entities and business associates, subject to certain limited exceptions”.

“Subject to certain limited exceptions” can be interpreted to mean additional exclusions listed in Standards for Privacy of Individually Identifiable Health Information; Final Rule, 45 CFR Parts 160 and 164, ss 164.501. Exclusions as written are an employer in its role as a covered entity (covered entities are employers as well) and education records specified in the Family Education Rights and Privacy Act, 20 U.S.C. 1232g.

‘individually

identifiable health information’ means any information, including demographic

information collected from an individual, that–

“(A) is created or received by a health care provider, health plan, employer, or

health care clearinghouse; and

“(B) relates to the past, present, or future physical or mental health or condition of

an individual, the provision of health care to an individual, or the past, present, or

future payment for the provision of health care to an individual, and–

“(i) identifies the individual; or

“(ii) with respect to which there is a reasonable basis to believe that the information

can be used to identify the individual

HHS Ruling on Encryption – ARRA/HITECH ACT subsection 13402

admin — Mon, 24 Aug 2009 04:46:46 +0000

On Thursday, August 20th, 2009, the U.S. Department of Health and Human Services (HHS) issued the Interim Final Rule on Breach Notification.

An important part the interim final rule is the decision that encryption is the only acceptable technology to make protected health information (essentially, patient records) “unusable, unreadable, or indecipherable to unauthorized individuals”. The preamble to the rule explains that even though other methods (such as access control) can continue to be used, if a breach occurs and the protected health information is disclosed to unauthorized individuals a breach notification is required.

Breach notifications are essentially categorized as “under 500″ and “over 500″ records. If a breach occurred to under 500 records then covered entities must maintain a log of the breach and notify the patients. If a breach over 500 records has occurred then not only patients need to be notified but also major media outlet and HHS. In addition, a hotline must be established so that people can call and obtain more information about the breach (notification procedures are specified in the HITECH Act, Section 13402). HHS can issue fines and attorneys general of each state are empowered to pursue these types of breaches on a criminal level.

The government is clearly serious about patient record privacy to encourage covered entities to move paper records to electronic records as part of its overall healthcare reform efforts.