Thanks to HHS, we now know what "unsecured protected health information" means. So where do we go from here?
If you're leading an organization that handles protected health information (PHI), you may be asking that question today.
As HealthLeaders Media reported Tuesday, HHS issued a proposal for security breach notification in a 20-page report that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure PHI and prevent a breach.
The guidance includes the technologies and methods specified by the secretary of HHS that render PHI "unusable, unreadable, or indecipherable to unauthorized individuals."
In other words, if the data does not include these methods and technologies, it could be considered "unsecured PHI."
Time to go out and buy the latest encryption software, right? Not quite.
With its draft guidance, HHS really did no more than point to the NIST standards of data encryption, endorsed by the government regulators long before the release of the draft guidance last week, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR.
To that end, see if your organization is already in compliance and using government-approved and offered encryption methods for information flowing out of your network.
Further, covered entities and business associates are not required to follow the guidance. HHS says in the guidance it merely creates a "safe harbor" and protects covered entities and business associates from notification requirements when a security breach occurs.
After a public comment period, which ends May 21, the final guidance will be released by August 17, according to the ARRA.
And there will be comments, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
"I think there are going to be changes as far as the way to secure PHI," Herold says. "They provided basically two methods (encryption and destruction), which are both important and good. But I think there may need to be additional methods that go beyond those two."
Here's what else you can take away from the HHS draft guidance:
Consider destruction as well as encryption. "It is important to render disposed PHI, in all forms, irreversibly destroyed as well," Herold says. "The statement, ‘Note that the technologies and methodologies referenced … are intended to be exhaustive and not merely illustrative' is interesting; this makes it important for all information security and privacy folks who see gaps with these methods to submit feedback and comments during this review period."
Covered entities and their business associates must understand that these requirements apply not only to electronic PHI, but also to PHI in other forms, such as paper.
Look for further specifications of encryption. As Apgar points out, HHS did not specify the level of encryption to make data secure. "As an example, if data is encrypted using 128 bit encryption, it is not necessarily ‘unsecured' given 128 bit encryption has been broken."
Consult with your IT specialists. Several of the documents recommended by HHS are "very technical in their contents describing various aspects of information systems to include their architecture and on how data are stored, organized, and transferred within an information system," says Frank Ruelas, MBA, the creator of www.hipaabootcamp.com who is based out of Scottsdale, AZ.
What are the legal implications of the guidance? If the guidance were to be final today, how would covered entities and business associates be legally bound? After all, no one is forced to follow it; HHS merely calls it the "functional equivalent of a safe harbor"–which reminds John R. Christiansen, of Seattle's Christiansen IT Law, of the European Union data protection or anti-kickback safe harbors. "The most important implication of this is that following the guidance should protect against civil penalty actions by HHS, which published the guidance and therefore is bound by it," he says. "The fact that it is not 100% binding on the courts probably shouldn't matter."
So where do you go from here? Backward to look at your encryption methods. And forward to consider commenting on the HHS draft guidance.
Michael Steele, Republican National Committee chairman, asked President Barack Obama to withdraw Kathleen Sebelius' nomination as health secretary unless she answers more questions on abortion. Steele said Sebelius has not been forthcoming about her ties to a Kansas abortion doctor, George Tiller. The White House declined to comment and a spokesman for the Senate majority leader, Harry Reid, dismissed Steele's complaints.
Only 2% of the nation's Medicare beneficiaries live in South Florida, but that region accounts for 17% of Medicare's total spending on inhalation drugs because of potential fraud, according to a Department of Health and Human Services report. Medicare spent $143 million on claims for drugs to treat respiratory ailments in Miami-Dade County in 2007, which is 20 times more than the amount Medicare spent in the Chicago area, which has twice as many beneficiaries.
Health insurers would be required to cover the cost of hearing aids and cochlear implants for hearing-impaired children under a bill that passed both houses of the Wisconsin Legislature. The measure cleared the Assembly 80-16, while the Senate approved it on a voice vote; both houses have Democratic majorities. It now heads to Democratic Gov. Jim Doyle, who is expected to sign it. About 200 children are born with permanent hearing loss in Wisconsin each year, according to backers of the bill.
Citing new statistics that show a 41% decline in medical malpractice lawsuits statewide since early in the decade, Pennsylvania Gov. Ed Rendell said that efforts to address Pennsylvania's malpractice insurance crisis had curbed the rise in premiums for doctors and given patients better access to care. He said a report released by the Administrative Office of Pennsylvania Courts demonstrated that new laws and judicial rule changes since 2002 had also improved the healthcare climate in the state.
Kaiser Permanente has come up with a system that allows its members to store health information on a USB flash drive that can be carried with them on business trips and vacations. For $5, Kaiser members can get a thumb-sized digital memory device that contains an accurate, up-to-date summary of their health information in a format that virtually any doctor with a computer can read. To safeguard patient privacy, the drive is encrypted and password protected with a password. The information can not be changed by either the member or doctor, but patients can get their devices updated for free.