HIPAA (1996) and HITECH/ARRA (2009) were further refined by the release of the HIPAA Omnibus Rule (1/25/2013). These regulations coupled with the increased regulatory scrutiny can make compliance difficult and expensive. HHS estimated it will cost companies up to $255.4 million to comply with the Omnibus Rule (Rule)! What will a ¼ of a billion dollars buy? Let’s invest a few minutes to analyze the impact to covered entities (e.g., hospitals, doctors, insurance), their service providers (i.e., business associates or BA), and consumers of healthcare services (i.e., you and I).
As directed by the February Executive Order from President Obama, the Federal Government issued a Request for Information to receive feedback regarding the National Institute of Standards and Technology’s (NIST) plans to develop a Cybersecurity framework for Critical Infrastructure. The purpose of the RFI was to gain information on what best practices and standards should be included in the future framework from Owners and Operators of Critical Infrastructure. But it’s about time that the security industry stops looking to new standards to solve the problem and learn how to adopt and implement what they already have! The problem does not lie in the standards themselves, but in the marketing and execution behind the standards to get the business executives involved.
Imagine this: you go to your mailbox and pull out the assorted letters and circulars. One of the letters is from your doctor’s office, informing you that the office was broken into and an unsecured laptop was stolen; it contained data on some of the patients and your data may have been on the laptop.
The reality is that those letters are appearing in mailboxes nationwide. Continue reading
The Los Angeles Daily News, on July 7, 2011, posted an Associated Press article outlining another HIPAA breach. Specifically, UCLA Health Services (UCLA-HS) entered into an agreement with the Office of Civil Rights (OCR), the division of the US Department of Health and Human Services empowered to enforce HIPAA violations. The UCLA-HS settlement with the OCR was $865,500. This is material because the maximum fine for HIPAA had been $250,000. However, the recently enacted Health Information Technology for Economic and Clinical Health (HITECH) Act increased that maximum penalty to $2.25 million, as illustrated by some recent notable cases:
- $1 million against Rite Aid and its affiliates
- $1 million against Massachusetts General Hospital
- $2.25 million against CVS
Beyond the financial penalties, there also can be the following negative ramifications: civil action, brand equity erosion, customer attrition, and even imprisonment. HITECH also expanded who must comply with HIPAA. Originally, only covered entities (e.g., hospitals, doctors, insurance providers) had to comply with HIPPA, but post HITECH, most recipients of PHI from covered entities also are covered. So downstream service providers (i.e., business associates) also must comply.
Interestingly, many of these breaches result from good employees doing bad things. For example, a health care professional, with legitimate access to their patients’ records, decides it might be interesting also to review personal health information for patients not under their care – such as celebrities. Covered entities are responsible for protecting PHI, including the actions of their employees. Thus, it would be prudent for entities who receive PHI to revisit their HIPAA programs, including policies, procedures, and audit logs; and because the weakest link in a HIPAA program often is the human element, revisit training and awareness. Look for increased enforcements as regulators aggressively levy fines.
SecureState recommends that organizations receiving PHI become intimately familiar with all of the security and privacy requirements they are subject to in order to understand exactly what they must do to provide adequate protection for PHI, as well as the consequences of noncompliance.
HITECH breach notification requirements apply to breaches of “unsecured” Protected Health Information (PHI). Basically, if electronic PHI data is encrypted, purged, or physically destroyed before it is inadvertently disclosed, then it doesn’t count as a breach. If the information is protected in a way that it can’t be obtained by an unauthorized individual then you’re safe. The Health and Human Services (HHS) and Office of Civil Rights (OCR) are currently working together to put some more teeth into HIPAA Security and Privacy Requirements through the HITECH Act. They are also working on methodologies and strategies for performing HIPAA Compliance Audits. This means you can expect more fines to be handed out (Cignet Health was fined $4.3 million for Privacy Violations and Massachusetts General Hospital was fined $1 million for losing documents containing PHI!) and more pressure being placed on covered entities and business associates to comply with HIPAA and HITECH Requirements. Beefed up Security, Privacy, and Breach Notification Rules are expected to be rolled out at some point this year. It’s time to take HIPAA compliance off the back burner and get serious about addressing the requirements. So how can we start reducing risks related to the loss or unauthorized disclosure of protected health information? I would say get the required Risk Analysis done and figure out where you can get the most bang for your buck. For the sake of brevity, let’s focus on portable systems.
Risk Assessments are crucial in identifying the biggest threats and vulnerabilities to critical and sensitive data, in order to identify appropriate controls to reduce risk to acceptable levels. Don’t forget that a Risk Assessment is also required per the HIPAA Security Rule. The first two administrative safeguard requirements of the Security Rule mandate Risk Analysis and Risk Management. These controls require covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of EPHI,” and to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” Now, let’s look at some risky practices and identify the security measures that can be used to reduce them.
The use of end-user systems to manage and store sensitive data ranks pretty high on the risk meter. As part of the HITECH Act, HHS began capturing and publicizing breaches that affected over 500 individuals (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html). Keep in mind that this database doesn’t list breaches that affect less than 500 people. There have been over 14,000 of the smaller breaches reported to OCR! Now everyone can go out and see what’s been happening out there in the healthcare community. It’s a great source of information for an organization to use during their Risk Assessment process in order to identify where and how these breaches occurred. By looking at the data, you can get an idea of what your organization needs to do to reduce your risk in the same scenarios. At the time of this writing, the breach database contained 241 reported incidents spanning the timeframe from September 2009 to December 2010; 75% of the breaches were due to physical theft or loss of paper records, hard drives, computers, etc and over 60% of the breaches included the theft or loss of portable devices, such as laptops.
Interesting figures, right? Laptop theft/loss is pretty easy to understand. Most of the time people leave them in their car, unattended at Starbuck’s, or just have an unfortunate incident when someone breaks into their home or office. Desktops, on the other hand, require some courage to steal. Of course, manufacturers are making desktop computers smaller and smaller, so it’s not that uncommon.
If you’re on this breach list for these reasons, there are a lot of issues you need to address. First of all, a policy on not storing patient information on end-user systems would help. Of course, there may be legitimate reasons why this can be allowed, so policy won’t really fix much. Alternatively, conduct the required Risk Assessment and put the security controls in place to reduce the risk and keep your name off the breach list. If over 60% of reported breaches are due to the theft or loss of portable systems, what is an effective method for reducing the risk to PHI? You basically have three options: don’t store it, encrypt it, or destroy it.
HHS has provided “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html). This information can be used to identify an appropriate method to protect you PHI on portable systems (laptops, USB drive, etc.). The following methods have been provided in the HHS guidance in order to reduce risk and avoid breach notification requirements if end-user media or devices are lost or stolen:
- Valid encryption per NIST SP 800-111 (http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf)
- Full disk encryption (desktops/laptops)
- Virtual disk and volume encryption (desktops/laptops/removable media)
- File/folder encryption (all types of end user devices)
- Media destruction
- Shredding of hard copy media
- Media sanitation per NIST SP 800-88
While not storing PHI on mobile systems would be your best bet, encryption is an alternative when you absolutely and positively need to keep that data on those systems to conduct business. If you have old media or documents that are no longer in use, ensure they are appropriately shredded or sanitized. Ensure that removable media and documents containing PHI are securely stored and controlled at all times. These methods will greatly reduce the risk of unauthorized disclosure due to loss or theft of portable devices and media. By following the HHS guidance, you can not only provide better protection for the PHI entrusted to your organization, but also help keep your reputation intact by not ending up on the public breach list.
To start off, I just wanted to say ‘Happy Data Privacy Day!’ Since it is Data Privacy Day, we here at securestate thought it would be appropriate to talk about some privacy related topics. If you are unfamiliar with the holiday,Data Privacy Day is an international holiday that is celebrated in the United States, Canada,and several European countries to help promote data privacy awareness. It is meant to bring together the public, industry, and privacy professionals on topics such as: social media; privacy concerns; and local, state, and international privacy laws and regulations. Today I thought it would be interesting to erform a comparison of FERPA and HIPAA.
Aside from the Payment Card Industry Data Security Standard (PCI DSS), another big regulatory requirement that is on many security, compliance, and privacy professionals’ minds is the Health Insurance Portability and Accountability Act (HIPAA). Even though HIPAA has been around since 1995, it really had not gained momentum in the community until the past few years when fines started being issued; better guidance started being distributed from HHS, CMS, ORC, and NIST; and the ORC started performing more audits. However, there has been a privacy law that has been on the books for much longer than HIPAA: the Family Educational Rights and Privacy Act (FERPA).
What Is FERPA?
FERPA is a privacy law meant to protect student records from being disclosed to individuals or organizations without the proper consent from the eligible student or parent, and provides the right of an eligible student or parent to review records and formally amend any errors. Eligible students are students who are at least 18 years of age or who are attending postsecondary education. This law has been in existence since 1974, and governs elementary, secondary, and postsecondary schools, i.e. colleges and universities which receive federal funding. If a school has been found to have had student records breached or shared with individuals or organizations without proper consent, then the Department of Education potentially could cut all federal funding such as federally funded education programs, grants, and the ability to accept student loans.
Who Is In Charge of FERPA?
Currently under the Department of Education, The Family Policy Compliance Office (FPCO) is responsible for investigating complaints and providing technical guidance. It then is the responsibility of the State Education Agencies and Local Education Agencies to enforce state and local laws for elementary, secondary, and postsecondary schools.
How Were HIPAA and FERPA Similar, And How Are They Now Different?
HIPAA and FERPA were very similar at one time because both regulations were enforced only when a formal complaint was sent to their respective offices. After a formal complaint was made, an investigation was performed; however, in almost all cases it only resulted in a nasty-gram from the ORC or the FPCO, and a slap on the wrist. It was not until recent years that HIPAA started requiring organizations to report known or suspected breaches of electronic protected health information (ePHI), and fines have been issued for organizations that handle ePHI. As HIPAA matured over time, FERPA remained the same, requiring only the investigation of formal complaints. FERPA currently does not require a school to have a security or a risk management program to protect student records or report any breaches of student records. However, according to the Family Educational Rights Privacy Act, Final Rule, from 2008, it is “suggested” that they implement these protections; however, it is not required.
How Can We Make FERPA Better?
I think there are a couple of different paths that FERPA could take. The most obvious would be to make revisions to the current regulations to require schools to have in place an information security and risk management program, and require schools to report any suspected or known breaches. Another way is to control it from the state level. A good example of this is the Massachusetts Breach Notification Law that not only requires proper breach notification, but also ensures that the organization have a proper security program in place. Such state laws could give schools a little bit of a push to better protect student records and report suspected or known breaches. Currently many of the states have in place only a breach notification law that requires organizations such as schools to report the loss of PII to the people affected. This is, however, more than what FERPA requires.
What Will The Future Bring?
I believe that one way or another, schools will need to have a functional, formal, and documented security program to protect student records. The program will be required to have a proper risk management program, operating and effective security controls, and security policies and procedures. Whether it comes from the Federal Department of Education and the FPCO, or is required through state laws, it is coming. Is your school ready?