This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail, Legal
AvMed, Inc. FL 1,220,000 12/10/2009 Theft LaptopCincinnati Children's Hospital Medical Center OH 60,998 3/27/2010 Theft LaptopPraxair Healthcare Services, Inc. CT 54,165 2/18/2010 Theft LaptopThomas Jefferson University Hospitals, Inc. PA 21,000 6/14/2010 Theft LaptopAultman Hospital OH 13,867 6/7/2010 Theft LaptopDepartment of Health Care Policy & Financing CO 105,470 5/17/2010 Theft Desktop ComputerMontefiore Medical Center NY 23,753 6/9/2010 Theft Desktop ComputerSt. Joseph Heritage Healthcare CA 22,012 3/6/2010 Theft Desktop ComputerUniversity of Oklahoma-Tulsa, Neurology ClinicOK 19,264 7/25/2010 Hacking/IT Incident Desktop ComputerMontefiore Medical Center NY 16,820 5/22/2010 Theft Desktop ComputerGeisinger Wyoming Valley Medical Center PA 2,928 11/6/2010 Unauthorized Access/DisclosureE-mailThe Children's Medical Center of Dayton OH 1,001 4/22/2010 Unauthorized Access/DisclosureE-mailSinai Hospital of Baltimore, Inc. MD 937 5/3/2010 Unauthorized Access/DisclosureE-mailReliant Rehabilitation Hospital North Houston TX 763 2/9/2010 Unauthorized Access/DisclosureE-mailBlue Cross Blue Shield of Tennessee TN 1,023,209 10/2/2009 Theft Hard DrivesProvidence Hospital MI 83,945 2/4/2010 Loss Hard DrivesPuerto Rico Department of Health PR 400,000 9/21/2010 Unauthorized Access/Disclosure, Hacking/IT IncidentNetwork ServerTriple-S Salud, Inc. PR 398,000 9/9/2010 Theft Network ServerSeacoast Radiology, PA NH 231,400 11/12/2010 Hacking/IT Incident Network ServerAnkle & foot Center of Tampa Bay, Inc. FL 156,000 11/10/2010 Hacking/IT Incident Network ServerSilicon Valley Eyecare Optometry and Contact LensesCA 40,000 4/2/2010 Theft Network Server
Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.
14
• PHI is interpreted rather broadly and includes any part of a patient’s medical record or payment history
• …and, that is linked to personal (18) identifiers
impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
Safe Harbor“This guidance is intended to describe the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals.
While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 in the event of a breach.”1
19
1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
(i) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec.164.308(a)(4).
…
(2) Implementation specifications: (iv) Encryption and Decryption. (Addressable). Implement a
mechanism to encrypt and decrypt electronic protected health information.
(i) Transmission Security -Section 164.312(e)(1) - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(2) Implementation specifications: (ii) Encryption (Addressable). Implement a mechanism to
encrypt electronic protected health information whenever deemed appropriate.
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and
(ii) As applicable to the entity—(A) Implement the implementation specification if reasonable and appropriate; or(B) If implementing the implementation specification is not reasonable and appropriate—
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
MU Stage 2 Requirements Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.
• No definition of Secured or Unsecured PHI in HIPAA!
• The HITECH Act Secretary of Health and Human Services must issue guidance
27
• Securing PHI as defined in the new guidance is important because secured PHI is not subject to the breach notification requirements of the HITECH Act.
• Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
• Two methodologies to secure PHI by making it unusable, unreadable or indecipherable to unauthorized persons: • Encryption• Destruction
• May be used to secure data in four commonly
recognized data states: 1. data in motion2. data at rest3. data in use4. data disposed
29
1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
• Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
30
• Valid encryption processes for data in motion are those which comply, as appropriate, with:• NIST SP800-52
, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations;
• NIST SP800-77, Guide to IPsec VPNs; • NIST SP800-113, Guide to SSL VPNs, • or others Federal Information Processing Standards (FIPS) 140-2 validated.1http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
Audit Procedures1. Inquire of management as to whether an encryption mechanism
is in place to protect ePHI. 2. Obtain and review formal or informal policies and procedures
and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:
a. Type(s) of encryption used.b. How encryption keys are protected.c. Access to modify or create keys is restricted to appropriate
personnel.d. How keys are managed.
3. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.
But does encryption always = “Safe Harbor”?• Those who claim encryption is a safe harbor to
HIPAA regulation should read 74 Federal Register 79 – issued 4/27/09
• Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
• At page 19009 – “(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.”
New York General Business Law § 899-aaPrior statute:• "Personal identifying information"
means personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record as the encrypted personal information or data element:
Current statute:• "Private information" shall
mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:
Several States do allow encryption to be a safe harbor
Arizona 44-7501A• 44-7501. Notification of breach of security system;
enforcement; civil penalty; preemption; exceptions; definitionsA. When a person that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system. If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected.
HIPAA Compliance BootCamp™Welcome, Introductions and Overview1. How to Set Up Your Privacy and Security Risk Management & Governance Program 2. How to Assess Your Increased Liability Risk Under the Omnibus Final Rule3. How to Develop & Implement Comprehensive HIPAA Privacy and Security and
Breach Notification Policies & Procedures (PnPs)Networking Break4. How to Prepare for and Manage an OCR Investigation5. How to Train all Members of Your WorkforceNetworking Luncheon & Refresh6. Panel Discussion – How to Implement a Strong, Proactive Business Associate
Management Program7. How to Complete All HIPAA Security Rule Assessment RequirementsNetworking Break8. Presentation and Panel Discussion: How to Create a “Culture of Compliance”9. How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and
HITECH Breach Notification RuleBuffer Time, Q&A, Final RemarksAttendee Reception (optional)