This article discusses techniques for implementing the updated requirements of the HIPAA Security Rule, with particular focus on strategies for assessing the effectiveness of implemented security controls to support compliance and audit, as well as a covered entity’s (or business associate) overarching risk management program in the context of HIPAA Compliance. Covered entities are becoming more pro-active in monitoring their business associate compliance with HIPAA privacy and security regulations and the recent changes largely the product of the HITECH Act. In the past I have used a series of questions to ascertain the compliance status of business associates to comply with HIPAA privacy and security rules. I find it useful to map security controls to NIST Special Publication 800-53. The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. The controls are included in the final version of Special Publication 800-53, Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations,” released in August of 2009. (Available at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf). [...]
|
|||||
|
By Robert Hudock, on November 29th, 2009
 Print This PostNovember 29th, 2009 | Tags: 800-53, 800-66, compliance, HIPAA, HITECH Act, NIST, security controls | Category: American Recovery and Reinvestment Act, Data Hemorrages, Destruction, Encryption, FIPS 140-2, Federal Agencies, HIPAA Security, HITECH Act, Health Information Technology, Health Reform, Health and Humans Services (HHS), Individually identifiable health information, Interoperability, Meaningful Use, Media Sanitization, NIST, Office of Civil Rights, Privacy, SSL VPNs, anonymization, unsecured protected health information |
5 comments
Print This PostBy Robert Hudock, on October 15th, 2009
Print This PostOn October 7, 2009 HHS announced proposed rulemaking to modify the HIPAA privacy rule to comply with Section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) regarding the privacy and confidentiality of genetic information. Generally, the HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The HIPAA Privacy Rule requires a covered entity (and beginning next year Business Associates) to implement reasonable and appropriate administrative, technical and physical safeguards to protect the privacy of personal health information (PHI). The HIPAA privacy rule more generally sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request [...] October 15th, 2009 | Tags: genetic information, Genetic Information Nondiscrimination Act of 2008, gina, HIPAA, PHI | Category: Deidentified Health Information, Federal Agencies, Genetic Information Nondiscrimination Act of 2008, HIPAA Privacy, HITECH Act, Health and Humans Services (HHS), Office of Civil Rights, Privacy, Privacy Law, State Privacy and Computer Security Laws, anonymization |
Leave a comment
Print This PostBy Kristen McDonald, on September 15th, 2009
Print This PostWhat happens if the offices of a covered entity are broken into and unsecured protected health information (PHI) of more than 500 individuals is stolen? With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 the ramifications to the covered entity and potential liability stemming from such a breach2 are significant to say the least. Not only is the covered entity required to notify the affected individuals of the breach of unsecured PHI,3 but also the covered entity must notify the media and the Department of Health and Human Services Secretary (HHS Secretary) of potentially damaging information concerning the breach. The HITECH Act’s requirement to report details of a significant breach not only to the affected individuals but also to the media and the Secretary may negatively impact the covered entity’s goodwill in the community and cause a loss of business. Of particular concern to the covered entity’s litigation counsel, though, is the potential liability that the covered entity may face due to the [...] September 15th, 2009 | Tags: Damages, HHS, HIPAA, HITECH Act, litigation, PHI, security, significant breach, unsecured PHI | Category: Computer Security Law -- Federal, Damages, HIPAA Privacy, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Identity Theft, Individually identifiable health information, Office of Civil Rights, unsecured protected health information |
One comment
Print This PostBy Robert Hudock, on August 21st, 2009
Print This PostRegulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when personal health information is breached were issued August 19th, 2009, by the U.S. Department of Health and Human Services (HHS). These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 [...] August 21st, 2009 | Tags: Data at Rest, Data Disposed, Data in Motion, Data in Use, Destruction, Encryption, FTC, Health Breach Notification Rule - FTC, HHS, HIPAA, OCR, paper, redaction, Report, security breach | Category: American Recovery and Reinvestment Act, Computer Security Law -- Federal, Encryption, FIPS 140-2, FTC Security Breach Notification, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Media Sanitization, NIST, Office of Civil Rights, unsecured protected health information |
Leave a comment
Print This PostBy Robert Hudock, on August 5th, 2009
Print This PostIt appears HHS has taken this critique to heart. HHS recently released notice of an important shift in the internal responsibility/delegation of authority for the monitoring and enforcement of the HIPAA Security Rule (and all additional health IT-related security responsibilities, under ARRA). Previously responsibility for administering (interpretation, education, guidance, FAQs, etc), monitoring and enforcing the HIPAA Security Rule was a CMS responsibility (specifically, the CMS Office of E-Standards and Services or CMS/OESS). The administration, monitoring and enforcement of the HIPAA Privacy Rule fell under the Office for Civil Rights [...] August 5th, 2009 | Tags: CMS, HHS, HIPAA, OCR, Poor Enforcement | Category: CMS, Enforcement, HIPAA Security, Health and Humans Services (HHS), Office of Civil Rights, Privacy Law |
Leave a comment
Print This PostImprove the web with Nofollow Reciprocity. |
|||||
|
Copyright © 2010 Law Blog 2.0 - Robert Hudock, Esq., CISSP - All Rights Reserved - This Blog is a personal blog of Robert Hudock. |
|||||
Content of the Notice to the Secretary of HHS for a Reportable Security Breach
Under the HITECH breach notification requirements, covered entities must notify HHS of all reportable breaches. HHS recently released a list of breaches, including the covered entity, the business associate, number of individuals affected, and the location of the information lost. More than 35 HIPAA covered entities have reported breaches involving more than 500 individuals’ PHI since September 2009. The theft/loss of laptops, desktop and portable media by far represent the majority of the security breaches reported thus far. A summary of breaches reported thus far appears [...]