Posts Tagged ‘HITECH Act’

Risk Management Framework recommended by NIST for HITECH Act and HIPAA Compliance

Friday, May 14th, 2010

 

 

In order to help the government and private industry standardize on a risk management process NIST created the RMF - Risk Management Framework. The framework into 6 steps:

 

  • Categorize the information systems
  • Select security controls
  • Implement security controls
  • Access security controls
  • Authorize information systems
  • Monitor security controls

At the 2010 NIST HIPAA Security Conference presentation, Pat Toth, a computer scientist working for NIST , discussed the importance of the integrating risk management and security into your enterprise computing environment.  Security is often thought of as an after-the-fact process that becomes important after IT systems and applications are deployed. Toth pointed out that our perception of security’s role needs to change in order to protect the our healthcare information systems.

 

The HIPAA security rule specifically requires that a risk assessment be performed on IT systems that contain PHI (protected health information). Rather than creating the assessment from scratch the RMF is a great place to start your research and perhaps implement the steps recommended by NIST to secure your HIT systems.
.
 
The RMF is of particular importance for helping to obtain a safe harbor from penalties in the HIPAA security rule, particularly when deciding to implement (or not implement) technologies like data encryption. For example: if you decide that encryption is not needed in your environment and an incident happens where PHI is breached you will need to show the reason behind your decisions to HHS OCR (U.S Department of Health and Human Services, Office of Civil Rights).

Tags: , , , , ,
Posted in Regulation | No Comments »

Safeguarding Health Information: Building Assurance through HIPAA Security NIST Conference

Tuesday, May 11th, 2010

 

We will be tweeting live from the NIST HIPAA security conference on 5/11 and 5/12. If you use twitter we will be using the #NISTHIPAA hashtag. To see our tweets you  can go to search.twitter.com and search for #NISTHIPAA after 9:30 am. You can also follow @experiordata

Tags: , , , ,
Posted in ARRA, Encyption | No Comments »

The Government is Serious: Breach Notifications WILL be posted

Tuesday, February 23rd, 2010

The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthly list provides an insight into the organizations involved in breaches of unsecured protected health information (PHI).


Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.


Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.


More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.


Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.


Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.

Tags: , , , ,
Posted in ARRA, Encyption, HIPAA, Section 13402, breach notification | No Comments »

Health Net Breach Notification Letter

Monday, December 14th, 2009
{{pt|A cantora canadense Alanis Morissette dur...
Image via Wikipedia
Health Net, Inc.
Image via Wikipedia

As Alanis Morrissette would say “And isn’t it ironic … don’t you think”. A relative just received a breach notification letter from from Health Net.

Some wording we find interesting:


“The purpose of this letter is to inform you of a matter involving an unencrypted portable computer disk drive was discovered missing from a Health Net office”.



What’s interesting about this sentence is that they use the term “unencrypted”. So the majority of the general public does not know what this term means. However, Health Net indirectly acknowledges that the drive should have been encrypted, and perhaps they will implement encryption in their company.


Related articles by Zemanta
Reblog this post [with Zemanta]


Tags: ,
Posted in Encyption, breach notification | No Comments »

PHI not encrypted? See the breach notification web site you never want to vist:

Tuesday, December 8th, 2009
Logo of the United States Department of Health...
Image via Wikipedia

Yes, we have found the one web site we hope you never have to visit – even the name is enough to give us the chills: Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information. Even the URL is eerily blunt: http://transparency.cit.nih.gov.


Yes, folks. If you suffer a breach you will need to report it to HHS. Interestingly, the web site is hosted by the Center for Information Technology of the National Institute of Health.

Reblog this post [with Zemanta]

Tags: , , ,
Posted in HIPAA, breach notification | No Comments »

Interim Final Rule on Enforcement Issued

Tuesday, November 17th, 2009

According to Bricker & Eckler, LLP

“On October 30, 2009, the Department of Health and Human Services (HHS) issued an interim final rule pertaining to the enforcement provisions of the HI-TECH Act. The final rule serves to conform HIPAA’s enforcement regulations to the revisions to the HIPAA statutes made by the HI-TECH Act.”

This is the government’s way of saying “we’re made a rule, and we are now going to enforce it”. The enforcement ruling is an indicative of the federal government’s interest in protecting the privacy and identity of patients. As patient records get converted from paper to electronic security has become a very important part of the healthcare IT ecosystem.

..

Bricker and Echler, LLC go on further to say “The HI-TECH Act significantly increased the penalty amounts for HIPAA violations, as reflected in the final rule. Covered entities should understand the financial risks associated with HIPAA non-compliance and the changes to the available affirmative defenses. It is critical to have an effective HIPAA compliance program to avoid HIPAA violations and to identify and correct HIPAA violations in a timely manner, which can shield the organization from substantial financial penalties”

..

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: , ,
Posted in HIPAA, Law firms, Regulation, Rulings, Uncategorized | No Comments »