In order to help the government and private industry standardize on a risk management process NIST created the RMF - Risk Management Framework. The framework into 6 steps:

• Categorize the information systems
• Select security controls
• Implement security controls
• Access security controls
• Authorize information systems
• Monitor security controls

At the 2010 NIST HIPAA Security Conference presentation, Pat Toth, a computer scientist working for NIST , discussed the importance of the integrating risk management and security into your enterprise computing environment.  Security is often thought of as an after-the-fact process that becomes important after IT systems and applications are deployed. Toth pointed out that our perception of security’s role needs to change in order to protect the our healthcare information systems.

We will be tweeting live from the NIST HIPAA security conference on 5/11 and 5/12. If you use twitter we will be using the #NISTHIPAA hashtag. To see our tweets you  can go to search.twitter.com and search for #NISTHIPAA after 9:30 am. You can also follow @experiordata

Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.

Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.

More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.

Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.

Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.

- Whole disk encryption is clearly needed for mobile devices

- Whole disk encryption protects data when computers are TURNED OFF. This means that while you’re using the laptop the data is in use, and is not encrypted.

- Additional levels of data protection is needed to protected the data while computers are in use. For example, critical data files should be encrypted automatically regardless of whether the computer is turned on or off. Whole disk encryption does not do this.

- Files containing PHI that are transferred on a network need to be encrypted. Whole disk encryption does not do this.

- What about e-mails containing PHI? More importantly, what about those that use Microsoft Outlook and store data in archive (.pst) files?

So why is whole disk encryption not enough? What happens if a worm invades your computer and transfers documents of a certain file type to a remote location. Whole disk encryption will not help you in this situation.

It’s important for any encryption solution to not only encrypt the hard drive but also to encrypted files on the hard drive so that they remain encrypted while the computer is on.

"As for enforcement, Congress promised in ARRA "periodic audits" to ensure HIPAA compliance. Government officials told HealthLeaders Media in September they weren't sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010."

Sounds like 2009 was the year of the healthcare law revisions. 2010 looks like it may be the year of enforcement.

Yes, we have found the one web site we hope you never have to visit – even the name is enough to give us the chills: Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information. Even the URL is eerily blunt: http://transparency.cit.nih.gov.

Yes, folks. If you suffer a breach you will need to report it to HHS. Interestingly, the web site is hosted by the Center for Information Technology of the National Institute of Health.

…

“On October 30, 2009, the Department of Health and Human Services (HHS) issued an interim final rule pertaining to the enforcement provisions of the HI-TECH Act. The final rule serves to conform HIPAA’s enforcement regulations to the revisions to the HIPAA statutes made by the HI-TECH Act.”

…

This is the government’s way of saying “we’re made a rule, and we are now going to enforce it”. The enforcement ruling is an indicative of the federal government’s interest in protecting the privacy and identity of patients. As patient records get converted from paper to electronic security has become a very important part of the healthcare IT ecosystem.

..

Bricker and Echler, LLC go on further to say “The HI-TECH Act significantly increased the penalty amounts for HIPAA violations, as reflected in the final rule. Covered entities should understand the financial risks associated with HIPAA non-compliance and the changes to the available affirmative defenses. It is critical to have an effective HIPAA compliance program to avoid HIPAA violations and to identify and correct HIPAA violations in a timely manner, which can shield the organization from substantial financial penalties”

..

Related articles by Zemanta

• Son of HIPAA Breach Notification Rules (healthblawg.typepad.com)
• Encrypt EHR – Else HIPAA Violations Need Be Reported To Government & Media (docinthemachine.com)
• HHS Releases 2008 Health Care Fraud and Abuse Control Program Report (medicareupdate.typepad.com)
• Stimulus Fuels Gold Rush For Electronic Health Systems (huffingtonpost.com)
• HIPAA Enforcement Meets HITECH: HIPAA Administrative Simplification: Enforcement Rule (healthcarebloglaw.blogspot.com)
• ARRA – HITECH: Health Care Information Breach Notification Regulations Now In Effect (healthcarebloglaw.blogspot.com)

In a strongly-worded letter sent and signed by six congressmen to HHS Secretary Kathleen Sebelius the message was clear: remove the harm assessment that lawmakers rejected when writing the privacy regulations into ARRA. The harm standard essentially says that in case of a breach the covered entity must make an assessment of whether or not the breach can cause reputational, financial, and other types of harm.  This leaves open the possibility that a covered entity could decide to act in its own interest and make the decision not to follow the directives written into the breach notification ruling.

..

There are, of course, two sides of the sword. On one hand it’s difficult to enforce a policy with subjective elements present, such as the harm assessment. It is unlikely that a covered entity would risk the substantial fines, now as high as $1.5 million, and the possibility of criminal prosecution to avoid notification in case a serious breach occurs. However, the harm assessment leaves that possibility open.

..

A drawback to removing the harm assessment is that it is possible that, ironically, that too many breach notifications are sent to people, thereby creating a “boy that cries wolf” effect. In a perfect world breaches would never happen, so there would not need to be a reason to notify people. However, we all know that not to be the reality. Breaches do occur, intentional or not. And people need to be notified as soon as possible. Should covered entities be given the privilege of deciding the severity of the harm and potentially choosing not to notify people? We shall see the next steps Congress and HHS will take.

..
HIPAA explicitly defines this Information as “…any information, including demographic information collected from an individual, that–”(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and ”(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–”(i) identifies the individual; or ”(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

..

Protected  Health Information takes that definition and applies and electronic twist to it. The Interim Final Rule on Breach Notification for Unsecured Protected Health Information on page 4 of the preamble defines protected health information as:  “individually identifiable health information held or transmitted in any form or medium by HIPAA covered entities and business associates, subject to certain limited exceptions”.

..

“Subject to certain limited exceptions” can be interpreted to mean additional exclusions listed in Standards for Privacy of Individually Identifiable Health Information; Final Rule, 45 CFR Parts 160 and 164, ss 164.501. Exclusions as written are an employer in its role as a covered entity (covered entities are employers as well) and education records specified in the Family Education Rights and Privacy Act, 20 U.S.C. 1232g.