HITECH breach notification requirements apply to breaches of “unsecured” Protected Health Information (PHI). Basically, if electronic PHI data is encrypted, purged, or physically destroyed before it is inadvertently disclosed, then it doesn’t count as a breach. If the information is protected in a way that it can’t be obtained by an unauthorized individual then you’re safe. The Health and Human Services (HHS) and Office of Civil Rights (OCR) are currently working together to put some more teeth into HIPAA Security and Privacy Requirements through the HITECH Act. They are also working on methodologies and strategies for performing HIPAA Compliance Audits. This means you can expect more fines to be handed out (Cignet Health was fined $4.3 million for Privacy Violations and Massachusetts General Hospital was fined $1 million for losing documents containing PHI!) and more pressure being placed on covered entities and business associates to comply with HIPAA and HITECH Requirements. Beefed up Security, Privacy, and Breach Notification Rules are expected to be rolled out at some point this year. It’s time to take HIPAA compliance off the back burner and get serious about addressing the requirements. So how can we start reducing risks related to the loss or unauthorized disclosure of protected health information? I would say get the required Risk Analysis done and figure out where you can get the most bang for your buck. For the sake of brevity, let’s focus on portable systems.
Risk Assessments are crucial in identifying the biggest threats and vulnerabilities to critical and sensitive data, in order to identify appropriate controls to reduce risk to acceptable levels. Don’t forget that a Risk Assessment is also required per the HIPAA Security Rule. The first two administrative safeguard requirements of the Security Rule mandate Risk Analysis and Risk Management. These controls require covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of EPHI,” and to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” Now, let’s look at some risky practices and identify the security measures that can be used to reduce them.
The use of end-user systems to manage and store sensitive data ranks pretty high on the risk meter. As part of the HITECH Act, HHS began capturing and publicizing breaches that affected over 500 individuals (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html). Keep in mind that this database doesn’t list breaches that affect less than 500 people. There have been over 14,000 of the smaller breaches reported to OCR! Now everyone can go out and see what’s been happening out there in the healthcare community. It’s a great source of information for an organization to use during their Risk Assessment process in order to identify where and how these breaches occurred. By looking at the data, you can get an idea of what your organization needs to do to reduce your risk in the same scenarios. At the time of this writing, the breach database contained 241 reported incidents spanning the timeframe from September 2009 to December 2010; 75% of the breaches were due to physical theft or loss of paper records, hard drives, computers, etc and over 60% of the breaches included the theft or loss of portable devices, such as laptops.
Interesting figures, right? Laptop theft/loss is pretty easy to understand. Most of the time people leave them in their car, unattended at Starbuck’s, or just have an unfortunate incident when someone breaks into their home or office. Desktops, on the other hand, require some courage to steal. Of course, manufacturers are making desktop computers smaller and smaller, so it’s not that uncommon.
If you’re on this breach list for these reasons, there are a lot of issues you need to address. First of all, a policy on not storing patient information on end-user systems would help. Of course, there may be legitimate reasons why this can be allowed, so policy won’t really fix much. Alternatively, conduct the required Risk Assessment and put the security controls in place to reduce the risk and keep your name off the breach list. If over 60% of reported breaches are due to the theft or loss of portable systems, what is an effective method for reducing the risk to PHI? You basically have three options: don’t store it, encrypt it, or destroy it.
HHS has provided “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html). This information can be used to identify an appropriate method to protect you PHI on portable systems (laptops, USB drive, etc.). The following methods have been provided in the HHS guidance in order to reduce risk and avoid breach notification requirements if end-user media or devices are lost or stolen:
- Valid encryption per NIST SP 800-111 (http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf)
- Full disk encryption (desktops/laptops)
- Virtual disk and volume encryption (desktops/laptops/removable media)
- File/folder encryption (all types of end user devices)
- Media destruction
- Shredding of hard copy media
- Media sanitation per NIST SP 800-88
While not storing PHI on mobile systems would be your best bet, encryption is an alternative when you absolutely and positively need to keep that data on those systems to conduct business. If you have old media or documents that are no longer in use, ensure they are appropriately shredded or sanitized. Ensure that removable media and documents containing PHI are securely stored and controlled at all times. These methods will greatly reduce the risk of unauthorized disclosure due to loss or theft of portable devices and media. By following the HHS guidance, you can not only provide better protection for the PHI entrusted to your organization, but also help keep your reputation intact by not ending up on the public breach list.