Jul 05 2010

Risky business

Category: hipaaDISC @ 11:02 pm
Information Security Wordle: NIST HIPAA Securi...
Image by purpleslog via Flickr

By Mary Mosquera

Last year’s HITECH Act toughened the rules and enforcement penalties health information handlers must follow to protect patient privacy.

Under the new policy regime, providers will have to pay more attention to the confidentiality and safety of patient information as they move more of their operations toward electronic health record-keeping.

Without sound security policies and practices, privacy “will be just a principle,” said Sue McAndrew, deputy director for privacy in the Office of Civil Rights, the Health and Human Services Department office that was given responsibility for health privacy and security policy under the new law.

OCR-draft-guidelines-for-security-risk-analysis

“We want it to be a reality for consumers,” she said at a recent privacy and security conference sponsored by OCR and the National Institute for Standards and Technology.

One of the most basic requirements is that providers must now perform a security assessment, a first step in understanding systems and electronic data over which they are temporary stewards.

OCR recently drafted guidance to help providers and payers figure out what is expected of them in doing a risk assessment. While it might sound onerous, a risk assessment might not be as difficult or costly as some providers might believe, even for small practices, privacy.

“When you say, ‘do a security risk assessment’, people’s eyes glaze over,” said Lisa Gallagher, security director of privacy and security for the Healthcare Information and Management Systems Society. “But really, it’s asking, ‘what are the risk areas?’, ‘how could someone get to it?’ and ‘what controls can you put in place to protect it.’”

In its guidance, OCR said organizations should identify and categorize their data collections, document threats to information that might lead to a disclosure of protected data and check to see if their current security measures are adequate.

“For a small organization, it sounds overwhelming and time-consuming, but in a lot of ways, it’s things that they already do,” said Pat Toth, a computer scientist in NIST’s computer security division.

“What small providers need to do is get an understanding of the framework and break down each step,” she said. “It is something that’s going to be living in their organization, so if they do their categorization and get that right, it will set the correct tone for the rest of the process.”

NIST has developed a quick-start guide, a “Cliff’s Notes” of its security publications detailing its risk management framework and risk assessment, in addition to frequently asked questions, to help providers, especially small practices.

For large organizations, risk management starts in the planning and architecture of systems across the enterprise and system life cycle, Toth said.

Besides a risk assessment, OCR is planning stricter reporting of disclosures of health information when electronic health records are used, even when the disclosure is for treatment and billing purposes. Providers will also have to give the reason for the disclosure. In May, OCR published a request for comments on its rulemaking.

The most effective method of accounting for disclosures is by using automated logging features in electronic health records and other computer systems, according to Mac McMillan, chief executive officer of Cynergistek Inc., an IT security consulting firm.

System logs are used to document and maintain a permanent record of all authorized and unauthorized access to and disclosure of confidential information so providers can recover evidence of that access.

“A lot of the difficulty to get accounting of disclosures in place is because of a lack of industry auditing capabilities,” he said at the OCR and NIST conference. “Most systems don’t have the functionality.” Moreover, IT security folks he works with have logging activated, “but they are still manually digesting them,” McMillan said, adding that manual audits are a time-consuming and imprecise process.

Even so, such practices must now be the order of the day under the new privacy and security framework. “The security rule says wherever you have electronic health information, you need to protect it,” said HIMSS’s Gallagher. “You may not even apply for meaningful use incentives. But if you’re keeping data in electronic form, you have to comply with the security rule.”

Related articles

hitech-act-increases-hipaa-security-requirements

healthcare-organizations-may-not-be-prepared-for-hitech-and-other-security-challenges

Tags: arra and hitech, Civil and political rights, Computer security, Consultants, Electronic health record, General and Freelance, hipaa security, hitech, National Institute of Standards and Technology, Risk management, Security


Mar 02 2010

HITECH Act increases HIPAA security requirements

Category: hipaaDISC @ 3:03 pm

by Marcia Savage
The health care industry was buzzing with the news: For the first time ever, a hospital was being audited for compliance with HIPAA security requirements. The audit of Piedmont Hospital in Atlanta by the U.S. Department of Health and Human Services’ inspector general in 2007 was surprising for hospitals, health insurers and others in an industry accustomed to a lack of enforcement of federal privacy and security requirements.

A year later, HHS took another unusual step, meting out a $100,000 fine to Seattle-based Providence Health & Services for HIPAA security and privacy violations. The organization had lost backup tapes, optical disks and laptops containing unencrypted protected health information on more than 360,000 patients.

But those enforcement actions could be small potatoes compared to what’s ahead. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act signed into law last year, earmarks about $19 billion in incentives to encourage adoption of electronic health record technology but also expands on HIPAA’s security and privacy requirements. In addition to instituting new breach notification rules and extending the rules to health care business associates, HITECH implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorney generals to file civil actions for HIPAA violations.

“HITECH is perceived as the enforcement arm of HIPAA,” says Barry Runyon, research vice president covering health care providers at Gartner. “The stakes are higher and more people can enforce it.

“What it’s done has kind of jump started HIPAA. Health care delivery organizations’ programs languished for a while,” he adds. “When there’s no enforcement, people tend to get complacent. HITECH is making them revisit their security plans and look at their controls — essentially what they should have been doing.”

Let’s take a look at the ramifications of the HITECH Act on security and privacy in the health care industry and its impact so far.

To read further on HITECH Act increases HIPAA security requirements

Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", HHS, hipaa, hipaa security, hitech act, status of arra and hitech


Jun 10 2009

How ARRA and HITECH provisions affect HIPAA compliance

Category: hipaaDISC @ 4:02 pm
HIPAA Compliant Seal

Image by Kestelnon via Flickr

HIPAA Plain and Simple

How ARRA and HITECH provisions will affect HIPAA compliance. We will highlight the changes to HIPAA due to these new provisions and discuss a possible solution, how to comply with these new HIPAA security and privacy requirements. American Recovery and Reinvestment Act of 2009 (ARRA) was signed into a law on February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA include important changes in Health Insurance Portability & Accountability Act (HIPAA).

• 2/17/210 applies to business associate – Covered Entity (CE) can apply the HIPAA provisions to Business Associates (BA) through business associate agreement. The HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. CE should revise their business associate contracts to reflect the changes before the deadline.

• Civil Action & Penalties – State Attorney General can prosecute neglect and individual can receive monetary compensation. HIPAA now have teeth with monetary, civil and criminal prosecution.

• Breach Notification – Notification to individual, HHS and media – Notification become more formal if the affected residents are more than 500. Use appropriate public media for cases involving more than 500 individuals. A breach requires notification, which is activated when there is an incident of “unsecured protected health information”.

• Accounting for disclosure – CE is accountable for its BA disclosure of Protected Health Information (PHI)

• Sale of Protected health Information – CE and BA cannot receive payment in exchange of PHI without an individual authorization. CE and BA are required to tell patients about disclosure of PHI for payment, treatment and administrative operation.

HIPAA compliance and how to manage your risks to healthcare assets:

HIPAA requires CE to have appropriate administrative, technical and physical safeguards to protect the privacy of health information. However HIPAA did not provide specific guidance as to what measure and controls will be appropriate.

ISO 27001 provides the basis to build an Information Security management System (ISMS), where organization can develop its own ISMS by applying controls from ISO 27002 code of practice. Only those controls apply which relate to its business objectives and the potential risks to the business. One document which is required to build ISMS is the Statement of Applicability (SoA) which explains why each of the 133 controls from ISO27002 is included in SoA and justification of the remaining controls which are not included. You can build ISMS suitable to your HIPAA needs, a healthcare organization could use its ISMS to ensure that HIPAA security standards required controls were selected from ISO 27002 and appropriately implemented. You need to certify ISMS (ISO 27001) to provide an ongoing assurance to HHS and healthcare business associates which can provide an edge in this downturn economy and more opportunities to enhance business worldwide.

5 HIPAA Rules Regarding Text Messaging

Resources:
CMS audit checklist
NIST guide for implementing HIPAA

Reblog this post [with Zemanta]

Tags: American Recovery and Reinvestment Act of 2009, arra, Health Insurance Portability and Accountability Act, hipaa, hipaa laws, hipaa privacy, hipaa security, hippa compliance, hitech, Protected Health Information