Encryption should be mandatory for one-on-one exchanges between providers regarding treatments, a privacy/security workgroup for the Office of the National Coordinator for Health Information Technology (ONC) reported last week.
During its May 19 meeting, a workgroup from the monthly HIT Policy Committee suggested that those exchanges include:
Encryption (no ability for facilitator to access content)
Encryption ideally should be required when potential for transmitted data to be exposed (mandated through meaningful use/certification criteria or HIPAA Security Rule modification)
Limits on identifiable (or potentially identifiable) information in the message
Identification and authentication
"When information is exposed in transmission, it ought to be encrypted," Deven McGraw of the Center for Democracy and Technology and a privacy/security workgroup member said in the meeting last week. "I think we need to be specific where we can."
The Department of Health and Human Services' (HHS) interim final rule on breach notification creates a "safe harbor" for unsecured protected health information (PHI) that is encrypted by certain standards. In other words, covered entities and business associates (BAs) do not need to notify individuals on breaches involving such encrypted PHI.
However, though there is a "strong bias" of encryption through the HIPAA laws, it is not mandatory, McGraw said.
"HIPAA–love it or hate it, it still didn't envision the infrastructure we have created today, and we need to build on what we have," McGraw said.
The workgroup provides input to the Health IT Committee as it sets the ground rules for the criteria of "meaningful use" of EHRs.
On December 30, CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) released two anxiously-awaited regulations providing both the definition of "meaningful use" for EHRs and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians.
Currently, the ONC interim final rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology," requires that EHR systems be capable of encryption.
However, it does not mandate encryption.
Final rules on the ONC interim final rule and CMS proposed rules are expected this spring. However, the interim final rule is in effect today.
The privacy/security workforce also recommended the establishment of ironclad policies.
"We need specific policies, as well as technology requirements, to govern all forms of electronic health information exchange," the group reported. It also says the industry should:
Implement the Nationwide Privacy and Security Framework principles
Ideally, make sure work take place before, or at least in conjunction with, technology standards work
Implement policy and not make it
Fill gaps in current law
Address "facilitator" access to identifiable information
Implement constraints on collection, access, and use of identifiable data
Implement constraints on data retention and re-use
HIPAA's privacy and security enforcer has hired an outside firm to help build its HITECH-required HIPAA auditing plan, the government agency tells HealthLeaders Media.
The Office for Civil Rights (OCR), which carries out for the Department of Health & Human Services (HHS) enforcement of the HIPAA privacy and security rules, says it does not have a timetable for when the audit plan begins.
However, in an e-mail to HealthLeaders Media Thursday, May 20, OCR says it is "presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement."
HITECH, signed into law by Congress February 17, 2009, requires OCR to conduct "periodic audits" of covered entities regarding HIPAA privacy and security compliance.
The contractor will help OCR with the "how" and "when" of the audit program.
Sue McAndrew, the deputy director for Health Information Privacy for OCR, told HealthLeaders Media at the 18th Annual National HIPAA Summit in February that "there are 1,000 ways to do this."
Talk of enforcement heated up this month at a national security conference, according to Mac McMillan, CEO of CynergisTek™ and one of the speakers at the Washington, DC, conference–"Safeguarding Health Information: Building Assurance through HIPAA Security."
The conference was hosted by HHS, OCR and National Institute of Standards and Technology (NIST).
MacMillan praised OCR for what he called a "proactive" approach to carrying out the provisions in the HITECH and maintaining transparency in the process. He said the longtime privacy enforcer, which this year took over enforcement of the security rule from CMS, is "doing a much better job than its predecessor."
"OCR is much more organized and is quietly getting its stuff together," says MacMillan, who has had conversations with top OCR officials. "With CMS, enforcement just didn't really fit. OCR on the other hand has been in the business of investigating privacy issues since Day 1."
When asked if it will audit entities who report breaches of unsecured protected health information (PHI) affecting 500 or more individuals, OCR tells HealthLeaders Media it has not "determined how the HITECH audit requirement will be implemented."
HITECH requires OCR to post on its website those entities who report the 500-or-more patient information breaches.
As for breaches below the 500 mark, OCR says it does not intend to publish breach information on those report.
"However," OCR says, "summary data will be included in OCR's annual report to Congress about breaches."
Though no enforcement plans have been announced regarding HITECH provisions, OCR says it is serious about it. OCR gained 36 FTEs dedicated to HIPAA privacy and security rule compliance and enforcement this fiscal year and is now up to 132.
OCR has obtained corrective action—meaning entities taking significant and important actions to change practices to come into compliance with the privacy rule—in more than 14,900 cases since 2003.
"They're focused clearly on compliance," McMillan says.
The CEO praised OCR for reaching out to the industry–and general public–regarding its "Request for Information for Accounting of Disclosures Rulemaking."
In that May 3 Federal Register posting, OCR asks providers and the public several questions to help it produced a proposed rule on accounting of disclosures on EHRs; that HITECH provision is due out in June and gives patients greater rights to disclosures on their EHRs.
"They're engaged," McMillan says. "They're not afraid to talk about this. I think they're doing a lot more that most folks aren't seeing yet."
Names of healthcare entities masked as "private practice" on the government website that lists organizations reporting large breaches of unsecured protected health information (PHI) will soon be revealed.
The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, tells HealthLeaders Media in an e-mail it will lift the "private practice" tag on its website once the 40-day comment period is up on its April 13 Federal Register notice that modifies its existing "System of Records" practices.
The comment period ends Sunday, May 23, and "so, OCR anticipates beginning to publish the names of covered entities currently listed as 'Private Practice' some time after that," the agency said in an e-mail to HealthLeaders Media. "OCR intends to apply the new routine use retroactively, so names of all covered entities currently listed as 'Private Practice' would be published."
Of the 87 entities reporting breaches affecting 500 or more individuals on the OCR website as of Tuesday, May 18, eight are listed as "private practice."
When questioned about the listing of "private practices" early last month, OCR originally told HealthLeaders Media that private practitioners who report these major breaches are considered "individuals" as defined by the Privacy Act of 1974.
Therefore, those "individuals" can stop OCR from posting its name on its breach notification website if the "individual" does not provide written consent. In those cases, OCR would list the entities as "private practice."
"It is the legal opinion of HHS that the names of private practitioners are identifiable as 'individuals,' as defined by the Privacy Act of 1974," OCR wrote to HealthLeaders Media April 7.
However, OCR, in its April 13 Federal Register notice, wants to expand the way OCR uses and stores information per HITECH requirements. One of the modifications is to make posting of entities who report breaches of 500 or more as a "routine use."
The language in the Privacy Act of 1974 says, "the term 'routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected."
Ultimately, it allows entities to use information despite not getting consent from an individual. As long as information qualifies as a "routine use," then that information can be made public without an individual's consent.
Asked why OCR sought to change this consent authority for this particular website, OCR tells HealthLeaders Media, "The HITECH Act required it." OCR said it had to wait for the "Systems of Records" modification request to lift the "private practice" mask on its website.
HITECH's breach notification interim final rule requires OCR to list entities who report breaches of unsecured PHI affecting on its website. OCR went live with the Web site in mid February, starting with 32 entities who reported the 500-or-more breaches since September, 2009.
Perhaps it's time to make laptops look unappealing to thieves to prevent them from being stolen.
"A tongue-in-cheek solution—ugly, cumbersome, low-appeal devices," says Nancy Davis, director of privacy and security officer for Ministry Health Care in Sturgeon Bay, WI. "We had a suggestion . . . to paint them all mustard yellow."
Naturally, Davis and fellow HIPAA privacy and security officers and consultants have more serious ideas about securing laptops. And most agree—encryption is the safest way to ensure your patients' protected health information (PHI) is secured before it flies out the door.
In its interim final rule on breach notification, the Office for Civil Rights (OCR), the enforcer of HIPAA's privacy and security rules, lists several methods of encryption that create a "safe harbor" in case of a breach of PHI.
But laptops remain a large source of patient information breaches.
Of the 79 entities that reported breaches of unsecured PHI affecting 500 or more individuals on the OCR website as of Friday, May 14, 20 involved a laptop (25%).
And a Republican congressman Wednesday, May 12 sent a letter to the secretary of the Department of Veterans Affairs (VA) with concerns over two stolen unencrypted laptops in Texas over a two-week span this spring. One of the laptops contained personal identifying information of 644 veterans, according to the letter's author, Congressman Steve Buyer (R-IN).
"Providers must start taking the regulations seriously and must take the steps necessary to protect patient information, especially on these most vulnerable portable devices," says Dena Boggan, CPC, CMC, CCP, HIPAA privacy and security officer at St. Dominic Jackson Memorial Hospital in Jackson, MS. "From the portable devices security guidelines released by CMS in December 2006 to the notification of breach guidelines detailed in HITECH, the message is clear—complete your risk analysis, determine your vulnerabilities, and take the steps to correct any inefficiencies in your security policies and procedures or you may be subject to penalties for failure to do so."
In New Mexico April 9, West Monroe Partners reported an unencrypted laptop stolen from the trunk of a car in Chicago March 20. The laptop contained patient information in the New Mexico Medicaid program including:
Names
Health plans
Identification numbers
Social Security numbers
Provider identification numbers
The state Medicaid program sent notification letters to its members and set up a toll-free telephone line through DentaQuest to take questions. The letter explains how members can place a fraud alert on their accounts. That information is also available on the New Mexico Medicaid website.
The New Mexico breach illustrates two essential points: know to whom you are contracting your work, and have a breach notification policy in place so everyone knows their role, says Brandon Ho, CIPP, the HIPAA compliance specialist for the Pacific Regional Medical Command based at Tripler Army Medical Center in Honolulu, HI.
"As organizations continue to see that laptops are going to be lost or stolen; organizations need to know the three rules of laptops: encrypt, encrypt, and encrypt," says William M. Miaoulis, CISO, CISA, CISM, manager of healthcare security services for Phoenix Health Systems in Dallas. "When data is encrypted organizations can avoid the high cost of the HITECH breach notifications requirements."
Miaoulis advises organizations to even expand controls beyond laptops. Restrict access to and/or encrypt mobile media containing PHI, such as:
Thumb drives
SmartPhones
BlackBerries
iPhones
Backup tapes
Home computers
Mac McMillan, CEO of CynergisTek, an IT security consulting firm in Austin, Texas, says it can cost around $150 on average to encrypt one laptop.
"Is that not worth it?" McMillan asks.
McMillan, a 30-year veteran in the security and risk management industry and former director of security for two Department of Defense agencies, says one of the first steps is to conduct a cost benefit analysis and determine what needs to be encrypted.
Davis, of Ministry Health Care, says the answer, "quite simply, is encryption, and there is no excuse not to take this on based on the breaches of more than 500 individuals reported to HHS since September, the majority of them being related to lost or stolen devices."
In a privacy update presentation to one of her organization's large hospitals, Thursday, May 13, Davis suggested these prevention methods:
Eliminate storage of files on hard drives, CD's, flash drives, etc.
Encrypt laptops
Have remote access through approved method (e.g., Citrix, VPN)
Follow established privacy and security policies
And it doesn't cost much to comply, Boggan says.
"Think you can't afford to do so?" she asks. "Consider the cost of setting up free credit reporting for 9,600-plus individuals for a year, sending out notification to these individuals that their information may have been breached, adding additional staff to field phone calls and inquiries from concerned patients, plus being subject to [HITECH) Tier D fines: willful neglect, not corrected, is up to $1.5 million. I believe one would find it to be more cost efficient to be proactive rather than reactive."
The Office for Civil Rights (OCR) on Friday issued its first in a series of HITECH-required guidance documents to educate covered entities and business associates (BA) on the best methods to secure electronic protected health information (ePHI).
The first guidance document focuses on risk analysis, a HIPAA Security Rule-required measure for covered entities and now BAs.
"The guidance is an effective primer in that it summarizes basic information about the required risk analysis within the security rule that has existed since the early days of HIPAA," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ. "Key aspects highlighted within the guidance is that the guidance is not a one-size-fits-all blueprint. This is critical to keep in mind because of the diversity of information systems and data handling processes that touch ePHI within the spectrum of organizations where the requirement of a risk analysis applies."
OCR calls risk analysis the "first step" to identify and implement safeguards that comply with and carry out the standards and implementation specifications in the security rule.
"Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect [ePHI]," according to the guidance document.
Here are some of key checklist items of the risk analysis in the security rule, according to OCR in its guidance document:
Scope of the analysis. Includes the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all e-PHI that an organization creates, receives, maintains, or transmits; hard drives, floppy disks, CDs, DVDs, smart cards, or other storage devices, personal digital assistants, transmission media, or portable electronic media.
Data collection. Where is your e-PHI is stored, received, maintained, or transmitted? Review past and/or existing projects; perform interviews; review documentation, etc.
Document potential threats and vulnerabilities. Identify and document reasonably anticipated threats to e-PHI. Identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.
Assess current security measures. Assess and document the security measures you use to safeguard e-PHI, whether security measures required by the security rule are already in place, and if current security measures are configured and used properly.
Determine the likelihood of threat occurrence. Take into account the probability of potential risks to e-PHI. The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Rule requires protection against because they are "reasonably anticipated."
Ruelas says for the most part, if organizations have been diligent complying with the risk analysis in the security rule, there is really "nothing new."
However, Ruelas hopes entities pay particular attention to OCR's message to document your risk analysis and its words on how often a periodic review of the risk assessment should occur.
OCR says the risk analysis process should be ongoing. For an entity to update and document its security measures "as needed," which the security rule requires, it should conduct continuous risk analysis to identify when updates are needed.
Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment.
"In the end, I see this initial guidance as setting a foundation of basic topics regarding the risk analysis process that future guidance documents will expand," Ruelas says. "By reiterating what was already established during the early days of the security rule and bringing it to the forefront, this guidance has helped dust off and put front and center information that was to be applied more than five years ago."
Patient-record snooping is inevitable, but with the advent of electronic health records (EHRs), it took "a new twist," says Kate Borten, CISSP, CISM, president of The Marblehead Group.
"The fact that e-records can be accessed from anywhere is both a blessing and a privacy and security curse," Borten says.
Borten says facilities should consider not only blocking access to PHI for employees who don't need it, but also to have strict policies and penalties in place for those who snoop at patient records.
Says Borten: "Today the standard approach–after technically blocking access from those who don't need it, of course—is to have a policy prohibiting snooping and sanctions for violations, workforce training that makes this crystal clear, and then follow-through with technical and manual auditing and disciplinary action."
Patient-record snooping grabbed headlines Tuesday, May 4, when Huping Zhou, 47, of Los Angeles became the first person sentenced to prison for misdemeanor HIPAA offenses for accessing confidential records without a valid reason or authorization, according to the U.S. Attorney's Office in the Central District of California.
United States Magistrate Judge Andrew J. Wistrich sentenced Zhou, a former UCLA Healthcare System employee who admitted snooping at patients' records, to four months in prison.
Zhou admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, the federal California attorney's office said in a release.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog, says Zhou's sentence and another six months ago serve as "object lessons" for the industry.
A federal judge on October 26, 2009, sentenced a doctor and two former hospital employees to a year's probation; they admitted to snooping at the records of Little Rock, AK, TV reporter Anne Pressly, who was murdered. Pressly was found severely beaten in her Little Rock home on October 20, 2008, and died five days later.
"I think the Pressly case, followed by [Zhou], are definitely intended to be 'object lessons' to make an example and scare others," Drummond says. "I agree with that strategy."
Last October, U.S. Attorney Jane Duke said in a statement she hoped the Little Rock snooping sentencings "send the message that the HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information."
Drummond says organizations need to sniff out snooping themselves, and fire people to scare the rest of the staff. He suggested to even "perp walk" violators off the premises.
"I'd even recommend 'honey pots' to basically trap snoopers," Drummond says. "Make sure they are trained, but if they snoop, fire 'em. Even if it's entrapment."
Covered entities and patients will have a say in the Office for Civil Rights' (OCR) proposed rulemaking on the HITECH provision some healthcare providers deemed a logistical nightmare.
OCR today published a notice in the Federal Register asking for help crafting a proposed rule on accounting of disclosures on electronic health records (EHRs) per HITECH.
HITECH expands an individual's right to request accounts on disclosures of his/her health record. In its semi annual regulatory report, OCR said it expects to produce these regulations in June.
In the Federal Register today, OCR writes that the comments from providers and patients will "help us better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [our] rulemaking in this area."
Current law exempts disclosures to carry out treatment, payment and healthcare operations. But HITECH changed that, allowing patients to request these types of disclosures through an EHR.
Because of the expansion of disclosure rights to patients, when President Obama in February 2009 signed HITECH into law some providers called the accounting of disclosures provision a logistical nightmare.
In order to get ahead of the game, covered entities should document their uses, disclosures, and storage of PHI with EHRs or any other system or data repository, Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, says in the HCPro, Inc. April 2009 HIPAA and the HITECH Act whitepaper.
Keep audit logs of who accessed records, and what their role is. Besides the future requirement to track and make available PHI disclosed from an EHR, the HIPAA Security Rule requires the generation and review of audit logs.
Use a database to ensure all uses and disclosures are tracked as required by the HIPAA Privacy Rule and plan to maintain similar information related to disclosures when the future EHR accounting of disclosure requirements become reality.
In today's Federal Register posting, OCR asks questions such as:
What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and healthcare operations purposes?
Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?
If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking?
What is the feasibility of an [EHR] module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and healthcare operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?
Is there any other information that would be helpful to [OCR] regarding accounting for disclosures through an [EHR] to carry out treatment, payment, and healthcare operations?
United States Magistrate Judge Andrew J. Wistrich sentenced a former UCLA Healthcare System employee who admitted snooping at patients' records to four months in prison Tuesday, according to the U.S. Attorney's Office in the Central District of California.
Huping Zhou, 47, of Los Angeles, admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, the federal California attorney's office said in a release.
Wistrich condemned Zhou for his lack of respect for patient privacy, according to the release.
Zhou is the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or authorization, according to the attorney's office.
Zhou in January of this year pleaded guilty to four misdemeanor counts of violating the HIPAA Privacy Rule. He is a licensed cardiothoracic surgeon in China who was employed in 2003 at UCLA Healthcare System as a researcher with the UCLA School of Medicine.
According to the U.S. attorney's release, on October 29, 2003, Zhou accessed and read his immediate supervisor's medical records and those of other co-workers. He had received a notice of dismissal that day from UCLA Healthcare for reasons not related to snooping. It is unclear when exactly he was fired and how he accessed records for three weeks after receiving the dismissal notice.
According to court documents, Zhou for the next three weeks accessed the UCLA patient records system 323 times, with most of the accesses involving well recognized celebrities.
Some facilities use "honeypots" as bait to catch snooping staff members who are in violation of HIPAA. "Honeypots," also referred to as "honeynuts," are fictitious medical records that IT monitors to determine if anyone is accessing them.
The terms honeypots and honeynuts derive from the notion that if you want to catch birds, you scatter birdseed.
The timing of the release of proposed HIPAA regulations per the HITECH Act became a little more clear this week.
The Department of Health & Human Services (HHS) released its semi-annual regulatory agenda in the Federal Register Monday and wrote that modifications to the HIPAA privacy, security and enforcement rules will be coming in May.
HHS did not detail exactly which proposed rules would be released. But last month, the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said regulations forthcoming include:
Business associate (BA) liability
New limitations on the sale of personal health information, marketing, and fundraising communications
Stronger individual rights to access electronic medical records and restricting the disclosure of certain information
Earlier this month, HHS sent for review regulations per HITECH requirements to the Office of Information and Regulatory Affairs (OIRA), according to privacy and security experts.
OIRA has 90 days to review the regulations, though the head of the submitting agency can extend that time and OIRA may request a one-time 30-day extension, says Jana Aagaard of the Law Office of Jana Aagaard in Carmichael, CA.
The industry has been waiting on rules from OCR concerning HITECH provisions effective February 17. Until this week, nor HHS or OCR had provided any specific timeline on the release of regulations.
The Office of Civil Rights (OCR) confirmed in an e-mail to HealthLeaders Media Friday afternoon that it will begin posting on its breach notification Web site the names of entities they consider "individuals" regardless of whether or not those entities give consent.
Currently, OCR does not post the names of such entities (namely sole practitioners) who report breaches affecting 500 or more individuals if they do not give OCR consent; OCR treats them as protected "individuals" per the Privacy Act of 1974. Instead, OCR lists them as "private practice."
As of today, eight of the 64 entities on the OCR Web site are listed as "private practice."
John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA Security Rule, says some see this practice as "discriminatory."
"A breach is a breach," he says.
But OCR filed a notice in the Federal Register Monday in order to modify its existing "System of Records" practices and ultimately lift the "consent" option of these sole practitioners. The Federal Register notice intends to expand the way OCR uses and stores information per HITECH requirements.
One of the modifications is to make posting of entities who report breaches of 500 or more as a "routine use." That term comes from the Privacy Act of 1974 and allows entities to use information despite not getting consent from an individual. As long as information qualifies as a "routine use," then that information can be made public without an individual's consent.
The language in the Privacy Act of 1974 says, "the term 'routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected."
The "routine uses" will become effective at the end of the 40-day comment period set forth in the notice (about May 23), according to the e-mail OCR sent to HealthLeaders Media. It also depends upon public comment received by HHS/OCR.
But once that happens, "OCR would be able to post the names of covered entities without first obtaining their consent," according to the e-mail OCR sent to HealthLeaders Media.
Industry insiders previously questioned OCR's use of "private practice" on its breach Web site, saying it defeats Congress' intent of public scrutiny on such egregious breaches. The initiative to make public those entities reporting such large breaches was first brought forth when HITECH was signed into law Feb. 17, 2010. It is now included in the breach notification interim final rule, effective last August.