Update-

Under the HITECH breach notification requirements, covered entities must notify HHS of all reportable breaches.  HHS recently released a list of breaches, including the covered entity, the business associate, number of individuals affected, and the location of the information lost.  More than 35 HIPAA covered entities have reported breaches involving more than 500 individuals’ PHI since September 2009.  The theft/loss of laptops, desktop and portable media by far represent the majority of the security breaches reported thus far.  A summary of breaches reported thus far appears below.

Reported Breaches of PHI

Older Story – October 12, 2009 — Content of the Notice to the Secretary of HHS for a Reportable Security Breach

The Secretary has delayed enforcement of the Security Breach Rules to give covered entities and business associates a reasonable amount of time to come into compliance.  However, in anticipation of covered entities’ new reporting obligations, HHS on October 7th, released an online form (OMB No. 0990-0346) that appears to be the exclusive mechanism by which a covered entity can provide the required notice to the Secretary in the event of a security breach. (The form is available at http://transparency.cit.nih.gov/breach/index.cfm).  The form is intended only for security breach submissions by covered entities to the Secretary; breaches involving business associates must be reported directly to the Secretary by the affected covered entity and not by the business associate.

Analysis of OMB No. 0990-0346 – HHS’s Security Breach Reporting Form

The form itself offers some insight into HHS’s understanding of security breaches and how HHS believes breaches can be mitigated and/or avoided altogether.  The following are what I consider to be the most interesting questions and potential responses pre-populated within the form:

1. HHS has defined seven categories of breaches within the form: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other, and unknown.  Theft, loss, and improper disposal are breaches that can be easily mitigated by encryption or by following the guidelines referenced by HHS for the destruction of paper/and electronic media;
2. The “locations” where a breach may occur, identified by HHS, include: laptops, desktops, network servers, e-mail, other portable electronic devices, electronic medical records, paper, and other.  Again this question and the pre-populated responses echo HHS’s interest in encryption for data stored on laptops, desktops, and other portable media devices.  Moreover, next to loss of PHI related to theft of computer equipment, e-mail runs a close second as the next biggest source of breaches involving PHI.  It is very easy for someone to mistakenly email a message to the wrong person;
3. The form identifies four categories of PHI–demographic information, financial information, clinical information and other.  Demographic information and especially financial information are high value targets to potential identity thieves; and
4. Probably the most interesting question, from a planning perspective, requires the covered entity identify whether any of the following security controls were in place before the security incident: firewalls, packet filtering (router based), secure browser sessions , strong authentication , encrypted wireless , physical security, logical access controls, anti-virus software, intrusion detection, and biometrics.

This list of security controls is an odd combination of specific types of security controls (e.g. packet filtering router) and general categories of security controls (e.g. physical/ logical access controls).  I find inclusion of biometrics and the exclusion of two factor authentication (a more general category) unusual – the utility of biometric access controls relate more generally to creating systems of two factor authentication.  Two factor authentication techniques are based on any two of the following three types of methods: something you know, something you are, and something you have.  One common example of two factor identification is the use of a security token that generates a seemingly random number in combination with a pin and a password to authenticate a user.  Biometric methods of identification, which include fingerprint scanners, facial recognition, and retinal scanners, are either too expensive to implement as a broad-based solution or are poor quality consumer oriented solutions.

In all, it is obvious what the hot button issues are that may get the enforcement body’s (Office of Civil Rights) attention and more importantly how to avoid them: (i) encrypting portable media, (ii) firewalls, (iii) proper document destruction procedures, (iii) the existence of a physical security plan, (iv) two factor authentication, and (v) antivirus.

The form should be filled out with diligence.  The form contains an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights (“OCR”) may be required to release information provided via the form pursuant to the Freedom of Information Act, some of the information will be posted to HHS’s web site, and tOCR will use the information to provide an annual report to Congress required by the HITECH Act.

Related Blogs

          

HHS Breach Notifications originally appeared on Law Blog 2.0 on March 1, 2010.

Recent HHS Guidance has emphasized key areas of importance related to a covered entity’s security assessment-

This guidance document has been prepared with the main objective of reinforcing some of the ways a covered entity may protect EPHI when it is accessed or used outside of the organization’s physical purview. In so doing, this document sets forth strategies that may be reasonable and appropriate for organizations that conduct some of their business activities through (1) the use of portable media/devices (such as USB flash drives) that store EPHI and (2) offsite access or transport of EPHI via laptops, personal digital assistants (PDAs), home computers or other non corporate equipment.

The Centers for Medicare & Medicaid Services (CMS) has delegated authority to enforce the HIPAA Security Standards, and may rely upon this guidance document in determining whether or not the actions of a covered entity are reasonable and appropriate for safeguarding the confidentiality, integrity and availability of EPHI, and it may be given deference in any administrative hearing pursuant to 45 C.F.R. § 160.508(c)(1), the HIPAA Enforcement Rule.

The kinds of devices and tools about which there is growing concern because of their vulnerability, include the following examples: laptops; home-based personal computers; PDAs and Smart Phones; hotel, library or other public workstations and Wireless Access Points (WAPs); USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access Devices (including security hardware).

In general, covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI. There may be situations that warrant such offsite use or access, e.g., when it is clearly determined necessary through the entity’s business case(s), and then only where great rigor has been taken to ensure that policies, procedures and workforce training have been effectively deployed, and access is provided consistent with the applicable requirements of the HIPAA Privacy Rule.

(see http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf).

Special publication 800-53, Revision 3 includes: (1) a simplified, six-step Risk Management Framework; (2) additional security controls and enhancements for advanced cyber threats; (3) recommendations for prioritizing security controls during implementation or deployment; (4) revised security control structure with a new references section; (5) guidance on using the Risk Management Framework for legacy information systems and for external information system services providers; (6) Updates to security control baselines based on current threat information and cyber attacks; (7) Organization-level security controls for managing information security programs; and (8) Guidance on the management of common controls within organizations.  Table 1 below maps HIPAA Security implementation specifications to NIST Security controls.  The NIST taxonomy of controls, as mapped by NIST SP 800-66, is invaluable in understanding the technical details of how to implement HIPAA compliant safeguards and what additional safeguards should be evaluated.

NIST Assessment Methodology

Encryption of portable media is a key enforcement priority of the OIG.  USB flash drives and other portable media are usually put in bags, backpacks, laptop cases, jackets, trouser pockets or are left at unattended workstations.  Tracking corporate data stored on personal flash drives is a significant challenge; the drives are small, common, and constantly moving.  Consequently USB drives are frequently misplaced.  Most HIPAA covered entities and business associates have strict management policies toward USB drives, and some companies ban them to minimize risk (by prohibiting the drives in a company acceptable use policy and/or in the operating system configuration).

Table 1 – Data by Type Copied by Employees

Other findings include:

1. 53 percent of respondents downloaded information onto a CD or DVD, 42 percent onto a USB drive and 38 percent sent attachments to a personal e-mail account;
2. 79 percent of respondents took data without an employer’s permission;
3. 82 percent of respondents said their employers did not perform an audit or review of paper or electronic documents before the respondent left his/her job; and
4. 24 percent of respondents had access to their employer’s computer system or network after their departure from the company.

(see also State of the Endpoint IT Security & IT Operations Practitioners in the United States, United Kingdom, Australia, New Zealand & Germany sponsored by Lumension; Independently conducted by Ponemon Institute LLC; Publication Date: November 30, 2009)(avaliable at http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Lumension%20State%20of%20the%20Endpoint%20FINAL%203.pdf).

Organizational Structure

• Which individual(s) oversee HIPAA privacy and security issues — state their names and titles of the: (1) the private officer; (2) the security officer; and (3) principle contact in the event of a security incident.
• Do you have written policy and/or a job description for the privacy, security and security incident response contact person?
• Does the organization conduct internal monitoring regarding HIPAA compliance through: (1)  an internal privacy security team; (2) an external third-party; (3) or there is no HIPAA compliance monitoring?
• Briefly describe what protected health information your organization maintains and where said information is retained (i.e. application, systems, database)?
• Does business associate have a reporting mechanism for potential privacy or security breaches?
• If a reporting mechanism exists, who is responsible for addressing potential breaches and what is the chain of command within your organization?
• Please specify any reported security breaches to a covered entity, government entity, and/or consumers in the last 3 years?
• Does the business associate have an Information Technology (IT) group oversee risk management related to PHI stored in business associate systems?
• Please provide a list of individuals responsible for such oversight activity along with their credentials/certifications.
• What responsibilities do individuals in your legal department have related to HIPAA compliance?
• Does your organization have a business continuity plan to address preserving access to and integrity of PHI in the event of a disaster or other catastrophic event?

Administrative Structure

• What policies (and procedures) are available specifically addressing HIPAA privacy and security rules and compliance including the following:
  1. Risk Management;
  2. Risk Assessment and Application Criticality Analysis (FIPS 200);
  3. Physical Security;
  4. Encryption;
  5. Remote Access;
  6. Media and Document Destruction;
  7. Change Control/ Patch Management;
  8. Acceptable Use (Email, Portable Media, Software, Company Resources);
  9. Training and Security Reminders;
  10. Antivirus and Workstation Security;
  11. Unique User Identification;
  12. Audit and Log Monitoring;
  13. Security  Incident;
  14. Contingency and Emergency Access; and
  15. Workforce Clearance, Sanction, and Access Management.
• Who or what group within the organization is responsible for creating and updating these policies?
• When were the organization’s policies last updated?
• How often have any of these policies been updated?
• Are new employees trained to follow these policies and procedures?
• How frequently are existing employees re-trained on existing policies and procedures?
• How frequently are existing employees trained regarding updates in HIPAA rules?
• How are personnel screened in order to grant certain levels of access to PHI?
• Does the organization have a formal security incident response plan to address potential breaches of security that include at a minimum: (1) roles and responsibilities; (2) isolate affected system; (3) preserve evidence; (4) restore compromised system from known safe backups; and (5) post incident response report including identification of lessons learned and other mitigating controls may be indicated based on the incident?
• Does the organization require business partners to comply with its privacy and security policies?
• Does organization ever send PHI via email or ftp (file transfer protocol)?
• Does the organization have policy or procedures related to de-identifying PHI for use in advertising, marketing, educational programs?
• What policies and procedures exist regarding notification in the event of a breach?

Physical Structure

• How is PHI stored within the organization (i.e. fixed server databases/hard drives versus removable media such as backup tapes)?
• Does your company of a physical security plan?
• What types of controls exists to limit access into buildings containing servers that host PHI?
• What types of controls exists to limit access within buildings to rooms housing servers containing PHI?
• Who has access to facilities containing PHI, and what process exists to grant these individuals access?
• What environmental controls exist to protect PHI from destruction?
• To the extent PHI is physically maintained, does the organization employ shredders or other destroying devices for confidential PHI containing documents?  Do you train and document the training of employees on the use of shredders?

Technical Structure

• What types of security and encryption protect portable media containing PHI? (Portable media should always be encrypted.)
• What types of security exists to protect PHI as it flows to and is accessed at remote workstations?
• Describe the data flow “life-cycle” of PHI through the organization’s information systems.  (This should cover hosting services, software development, quality assurance, other issues.)
• Does the organization have routine maintenance protocols that backup, delete, relocate, or otherwise impact data containing PHI?
• What types of audit mechanisms exist to track access and transmission of PHI by internal or external users?  Typically audit logs include a timestamp, a unique user account, data accessed/modified/created, and the location of the user.
• How often are these audit mechanisms used to detect abnormal use?
• Do automatic triggers exist to notify the organization of abnormal PHI use?
• Does the organization prevent browsers with un-patched security vulnerabilities from accessing the company’s information system?

Compliance History and Future Developments

• Has the organization had any security incidents in the past 5 years?  How many and when?
• Has business associate received any negative press related to privacy or security issues in the past 5 years?  How many and when?
• What if any HIPAA security and privacy litigation has business associate been party to in the past 5 years?  Describe the timeline, the circumstances, and the outcome.
• Has business associate conducted risk assessments and vulnerability assessments through independent third parties?  When was the last assessment done?
• Has business associate developed its business off-shore?  If so, are the off-shore business associate facilities ISO 17799 certified?
• Does business associate have new technologies on the horizon that involve PHI, and what if any safeguards are contemplated to protect this data?

Key Terms

Advanced Encryption Standard (AES) – specifies the FIPS 140-2 approved cryptographic algorithm that can be used to protect electronic data.

Business Associate – a third party that acts on behalf of a covered entity by performing a function or activity that HIPAA’s Administrative Simplification rules regulate or that provides certain services (e.g., legal or consulting services) that involve the use or disclosure of individually identifiable health information.

Covered Entity – a health plans, health care clearinghouses, health care providers, and endorsed sponsors of the Medicare prescription drug discount care that conduct covered transactions electronically.  Covered entities are subject to HIPAA’s Administrative Simplification mandates.

Encryption - Cryptographic transformation of data (called “plaintext”) into a form (called “ciphertext”) that conceals the data’s original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called “decryption”, which is a transformation that restores encrypted data to its original state.

HIPAA (The Health Insurance Portability and Accountability Act) – mandates the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.

NIST (National Institute of Standards) - an agency in the Technology Administration that makes measurements and sets standards as needed by industry or government programs.

Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This includes any part of a patient’s medical record, diagnosis,  and/or payment history.

PHI identifiers include:

1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
3. Dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers(SSN);
8. Medical record numbers;
9. Health plan beneficiary numbers;

10.  Account numbers;

11.  Certificate/license numbers;

12.  Vehicle identifiers and serial numbers, including license plate numbers;

13.  Device identifiers and serial numbers;

14.  Web Universal Resource Locators (URLs);

15.  Internet Protocol (IP) address numbers;

16.  Biometric identifiers, including finger, retinal and voice prints;

17.  Full face photographic images and any comparable images; and

18.  Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

Table 2 – NIST SP 800-66 HIPAA Security Compliance Guidance

Related Blogs

• The collapse of China's English-teaching schools » The Peking Duck
• Irish Mr. English : Unleashed Online
• Idea Lab: Full English Breakfast from Scratch
• Language Log » Chinese Endangered by English?
• Toy Tokyo x Secret Base x Ron English X-Ray McSupersized Figure …

          

Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. originally appeared on Law Blog 2.0 on November 29, 2009.

HHS

On October 7, 2009 HHS announced proposed rulemaking to modify the HIPAA privacy rule to comply with Section 105, Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA)  regarding the privacy and confidentiality of genetic information.  The prosed rule is found here HIPAAPRIVACYRULE13343.0.E9-22492. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  Similarly Congress by enacting GINA seeks to protect the genetic privacy of individuals — GINA creates ‘‘a national and uniform basic standard [that] is necessary to fully protect the public from discrimination and allay their concerns about the potential for discrimination, thereby allowing individuals to take advantage of genetic testing, technologies, research, and new therapies.’’ (GINA section 2(5).)

The HIPAA Privacy Rule requires a covered entity (and beginning next year Business Associates) to implement reasonable and appropriate administrative, technical and physical safeguards to protect the privacy of personal health information (PHI).  The HIPAA privacy rule more generally sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.  The Department of Health and Human Services (HHS) proposed to modify provisions of the ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (Privacy Rule), issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The purpose of these proposed modifications is to implement Section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) regarding the privacy and confidentiality of genetic information, as well as to make other less technical changes to the HIPAA Privacy Rule.

GINA specifically prohibits discrimination based on an individual’s genetic information with respect to both health coverage and employment.  It is improper to use an individuals genetic information as basis for determining –

1. health coverage,
2. group premiums,
3. eligibility for insurance,
4. eligibility for employment, and/or
5. premiums for individuals and Medicare insurance policy markets.

HHS proposes to modify the HIPAA Privacy Rule to:

(1)    Explicitly provide that genetic information is health information for purposes of the Rule;
(2)    prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes;
(3)    revise the provisions relating to the Notice of Privacy Practices for health plans that perform underwriting;;
(4)    make a number of conforming modifications to definitions and other provisions of the Rule; and
(5)    make technical corrections to update the definition of ‘‘health plan.’

In addition Section 105 of the Genetic Information Nondiscrimination Act of 2008 (“GINA”) provides that a group health plan or health insurer may not use or disclose genetic information for purposes of underwriting. These provisions became effective on May 20, 2009.   On October 7, 2009, the Department of Health and Human Services (“HHS”) issued proposed regulations on how Section 105 will impact the HIPAA privacy regulations and HIPAA covered entities.  Additional regulations issued on October 7, 2009 interpreting other health plan aspects of will be discussed in a subsequent client Alert. ’

The proposed regulations would extend GINA’s prohibition on using and disclosing genetic information for underwriting purposes to all health plans that are subject to the HIPAA privacy regulation. T he prohibition would extended long-term care policies, certain public benefit programs, such as Medicare and Medicaid, military health care programs, and limited scope dental and vision benefits so that all provisions would apply uniformly to all health plans covered by the HIPAA privacy regulation.

Comments on the proposed rule will be considered if receive no later than December 7, 2009.  We recommend that a company documents should also be updated to reflect the new GINA provisions, including the health plan’s policies and procedures. Depending on the services that are provided by a business associate and the language of existing business associate agreements, applicable business associate agreements may also need to be updated. Finally health plan sponsors may also consider whether adding protective language in their health plan documents is also appropriate.

          

HHS Announces Proposed Rulemaking to modify the HIPAA privacy Rule to Comply with Section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) originally appeared on Law Blog 2.0 on October 15, 2009.

Security Breach

Ms. Kristen Pollock McDonald’s Professional CV, the author of this article, is available here, the website for American Health Lawyers Association is available here. What happens if the offices of a covered entity are broken into and unsecured protected health information (PHI) of more than 500 individuals is stolen? With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act,¹ the ramifications to the covered entity and potential liability stemming from such a breach² are significant to say the least. Not only is the covered entity required to notify the affected individuals of the breach of unsecured PHI,³ but also the covered entity must notify the media and the Department of Health and Human Services Secretary (HHS Secretary) of potentially damaging information concerning the breach. The HITECH Act’s requirement to report details of a significant breach not only to the affected individuals but also to the media and the Secretary may negatively impact the covered entity’s goodwill in the community and cause a loss of business. Of particular concern to the covered entity’s litigation counsel, though, is the potential liability that the covered entity may face due to the breach.

Under the HITECH Act, a covered entity is required to notify individuals of a breach of unsecured PHI and provide the affected individuals with the following information: (1) a description of what happened; (2) a description of the type of unsecured PHI that was involved in the breach; (3) steps the individuals should take to protect themselves; (4) a description of what the covered entity is doing to investigate the breach, mitigate harm to the individual, and ensure that a similar breach does not occur; and (5) contact information if the individual has questions.⁴ Having to detail the nature of the breach, the type of PHI compromised, and what steps the covered entity has taken to mitigate any harm places the covered entity in a precarious position because disclosing such information may be deemed an admission against the covered entity in future litigation brought by affected individuals.

Indeed, the affected individuals may rely upon the notification and the potential admissions contained therein to bring suit against the covered entity under federal or state law. Thus, even though the covered entity abides by the notification rules under the HITECH Act, the fact that there was a breach of unsecured PHI may cause the covered entity to face various liability risks. For example, the breach by the covered entity may violate state patient privacy laws. Or, the covered entity may face liability under various federal statutes, such as the Public Health Services Act if substance abuse treatment records are compromised.⁵ Other examples include the improper disclosure of a diagnosis of a disease, which may cause the covered entity to face liability for intentional or negligent infliction of emotional distress, among other theories. Or, if Social Security numbers are compromised, the covered entity may face liability for financial losses associated with identity theft.⁶ Because the covered entity may face a variety of liability risks under federal and/or state law, the risk of the notification under the HITECH Act being treated as an admission against the covered entity could have far-reaching, negative consequences in litigation.

Also increasing the risk of potential liability is the fact that the same information contained in the notification to the affected individuals also must be provided to the media.⁷ Thus, not only will the general public have access to the details of the breach but competitors will have access to the more damaging information concerning how the breach occurred and what information was compromised. Although publication in the media will not provide the affected individuals with any additional information, it could increase the risk of litigation: (1) by encouraging affected individuals, who may not have otherwise acted upon their personal notification, to pursue litigation against the covered entity; and (2) by educating plaintiffs’ counsels about the breach and who then may seek out the affected individuals for representation.

Although the HITECH Act’s breach notification rules are not yet effective,⁸ what is quite apparent even now is that the breach notification rules will almost certainly foster litigation, particularly for significant breaches affecting more than 500 individuals.

¹ The HITECH Act was enacted on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009. See Pub. L. No. 111-5 (2009). Most recently, on August 24, 2009, the Department of Health and Human Services (HHS) published regulations further explaining the breach notification rules under the HITECH Act. See Breach Notification for Unsecured Protected Health Information; Interim Final Rule,
74 Fed. Reg. 42740 (Aug. 24, 2009).
² A “breach” is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.” Id. at 42741.
³ Unsecured PHI is defined as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance . . .” Id. The two specific methodologies listed in HHS guidance are encryption and destruction. Id.
⁴ See 74 Fed. Reg. at 42750.
⁵ See Public Health Services Act, set forth at 42 U.S.C. §§ 290dd. HHS’ guidance specifically contemplates potential liability depending upon the type of unsecured PHI compromised. See 74 Fed. Reg. at 42745.
⁶ See id.
⁷ See id. at 42752. In addition to requiring the covered entity to notify the media of a breach affecting more than 500 individuals, the HITECH Act also requires the covered entity to notify the Secretary immediately of the breach. Id. at 42753. The Secretary, in turn, lists on its website all covered entities that report breaches affecting more than 500 individuals. Id.
⁸ The Interim Final Rule becomes effective on September 23, 2009. Id. at 42740, 42753.

          

Excellent Article from American Health Lawyers Association’s Healthcare Liability & Litigation Health Briefs, on 9/9/09. by Kristen McDonald. (Republished with permission from the author.) originally appeared on Law Blog 2.0 on September 15, 2009.

Breach Reporting Requirements

The Department of Health and Human Services (HHS) released on Wednesday, August 19, 2009, its interim final rule for “breach notification,” as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA) (“HHS Breach Rule”).  HHS was two-days late with the issuance of the final rule for breach notification.  The interim final rule requires HIPAA covered entities to notify individuals—and, in some cases, the HHS Secretary and the news media—when “unsecured protected health information” is breached or compromised.  The interim final rule is scheduled for publication in the Federal Register on Monday, August 24, 2009.  The rule will be effective thirty days after publication in the Federal Register (approximately September 23, 2009); comments on the rule are due to the HHS Office of Civil Rights within sixty days of the rule’s publication (approximately October 23, 2009).  However, HHS In the comments to the new Breach Reporting Rules, states that HHS “will use [its] enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication [of the HHS regulations],”  which will be the middle of February 2010.

Personal Health Records and the FTC Security Breach Rule

Also on August 17th, 2009, the FTC, as required by ARRA, issued the final guidance regarding security breach notification requirements for entities that collect personal health information and/or vendors of personal health records for purposes of a consumer directed health record.  The FTC released the proposed regulations entitled the “Health Breach Notification Rule” on April 16, 2009.  Unlike, Electronic Health Records (EHRs), Personal Health Records (PHRs) are not covered by HIPAA, however, PHRs are covered by some states’ security breach notification rules (e.g. California).  The FTC’s rules expands the scope of entities that must take certain actions in the event of a PHR security breach, but the rule does not apply to HIPAA Covered Entities or Business Associates (with one exception discusse below).  The FTC regulations will apply to “breaches of security” that occur on or after September 18, 2009, if the breach involves information contained in or related to PHRs.  While the interim final rule for “breach notification” issued by HHS will apply to HIPAA Covered Entities and Business Associates.  Unlike an EHR, PHR’s are “electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” (FTC Final Rule (Guidance) p. 27).

The FTC further clarified the definition of a PHR:

The Commission emphasizes that PHRs are managed, shared, and controlled “by or primarily for the individual.” See, e.g., AIA at 2; ACLI; Molina Healthcare at 2-3; National Association of Mutual Insurance Companies (“NAMIC”) at 3-4. Thus, they do not include the kinds of records managed by or primarily for commercial enterprises, such as life insurance companies that maintain such records for their own business purposes.

PHI and HHS’ Security Breach Rule

Interestingly the preamble to the HHS breach rule clarifies that in some instances a HIPAA business associate could theoretically covered by the FTC and HHS security breach notification requirements-  in those limited cases where an entity may be subject to both HHS’ and the FTC’s breach notification rules, such as a vendor that offers PHRs to customers of a HIPAA covered entity as a business associate and also offers PHRs directly to the public, HHS and FTC have apparently been harmonized by including the same (or similar requirements). (HHS Breach Notification Rule p. 14).

Similar to the FTC  breach notification regulations for PHR vendors, the regulations developed by the HHS Office for Civil Rights (OCR) requires health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals.  Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

“This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care.  These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information,” said Robinsue Frohboese, Acting Director and Principal Deputy Director of OCR.

(FTC Final Rule (Guidance) p. 27).

Acceptable Encryption Methods and the Effect Thereon of the Data’s Current State

The commentary to Breach Notification rules include further details regarding the distinctions between data at rest and data in motion:

• “Data in Motion” includes data that is moving through a network, including wireless transmission, whether by e-mail or structured electronic interchange, while “data at rest” includes data that resides in databases, file systems, flash drives, memory, and any other structured storage method;
• “Data in Use” includes data in the process of being created, retrieved, updated, or deleted, and “data disposed” includes discarded paper records or recycled electronic media;
• “Data at Rest” includes data that resides in databases, file systems, flash drives, memory, and any other structured storage method; and
• “Data Disposed” includes discarded paper records or recycled electronic media.

While these categories are not new to computer security practitioners they represent a much more advanced approach as compared against earlier HIPAA privacy and security guidance. (Guidance at 12).  The Guidance notes that HHS consulted the NIST when identifying appropriate safeguards.  The reader is also directed to review the NIST Special Publication 800-66-Revision1 “An Introductory Resource Guide for Implementing the HIPAA Security Rule“.

Encryption is one of the core methods to render PHI unreadable; however encryption encompasses domains such as cryptology, number theory, and crypto analysis for even the most well versed security expert understanding how to encrypt information properly is complex.  HHS solves this problem by relying on NIST.  PHI must be encrypted using a NIST approved algorithm and procedure– to be considered unreadable.  Electronic PHI is encrypted when “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304) and key to decrypt the PHI has not been breached.  Encryption identified by NIST and judged to meet this standard NIST’s encryption standards is acceptable to render PHI unreadable. (Guidance at 16).  Current acceptable encryption methods include:

• For data at rest the reader those methods contained within NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Device; and
• For data in motion those methods contained within the Federal Information Processing Standards (FIPS) 140-2 are acceptable. These methods are explained in detail in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113,Guide to SSL VPNs, and others which are FIPS 140-2 validated. (Guidance at 17).

The commentary notes that:

[C]overed entities and business associates may continue to create limited data sets or de-identify protected health information through redaction if the removal of identifiers results in the information satisfying the criteria of 45 CFR 164.514(e)(2) or 164.514(b), respectively. Further, a loss or theft of information that has been redacted appropriately may not require notification under these rules either because the information is not protected health information (as in the case of de-identified information) or because the unredacted information does not compromise the security or privacy of the information.

Finally HHS notes that the encryption/ destruction guidance will be updated annually.  The press release notes-

To determine when information is “unsecured” and notification is required by the HHS and FTC rules, HHS is also issuing in the same document as the regulations an update to its guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.  Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.  This guidance will be updated annually.

An excellent demonstration of the Advanced Encryption Standard (AES) — one of the few FIPS approved algorithms to render PHI unreadable and/or encrypted for purposes of the security breach safe harbor under both the FTC and HHS rules is avaliable at http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf.

Destruction is also an acceptable method of rendering PHI unreadable, acceptable methods for destroying PHI at this time:

• Paper, film, or other hard copy media be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed; and
• Electronic media must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88,Guidelines for Media Sanitization, such that the PHI cannot be retrieved. (Guidance at 17).

HHS draws an interesting distinction between encryption and other access controls:

While we believe access controls may render information inaccessible to unauthorized individuals, we do not believe that access controls meet the statutory standard of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. If access controls are compromised, the underlying information may still be usable, readable, or decipherable to an unauthorized individual, and thus, constitute unsecured protected health information for which breach notification is required.

Accordingly, HHS believes strong access controls are required however HHS believes that a review of potential safeguards is beyond the scope of the this guidance which primarily details methods of rendering PHI unreadable.

Following the same line of reasoning HHS rejected redaction of PHI as a method of rendering PHI unreadable.  The preambles states that “redaction is not a standardized methodology with proven capabilities to destroy or render the underlying information unusable, unreadable or indecipherable, we do not believe that redaction is an accepted alternative method to secure paper-based protected health information.”  However the physical destruction of paper is a method rendering PHI unreadable.  This again is a rather interesting distinction considering that electronic documents, for example PDFs, can be redacted such that the information cannot be recovered.

The reader should note that covered entities and business associates must keep encryption keys on a separate device from the data that they encrypt or decrypt to ensure the keys are not compromised.

Harm or Risk Based Threshold

HHS confirmed that the statutory language and the new breach regulations includes a harm threshold and the definition that “compromises the security or privacy of the protected health information” means “poses a significant risk of financial, reputational, or other harm to the individual.”  This position is consistent with some State breach notification laws, as well as other existing obligations on Federal agencies (some of which also must comply with these rules as HIPAA covered entities) pursuant to OMB Memorandum M-07-16 (available at http://www.whitehouse.gov/OMB/memoranda/fy2007/m07-16.pdf) to have in place breach notification policies for PII that take into account the risk of harm caused by the breach.  Thus, to determine if an impermissible use or disclosure of PHI constitutes a breach, covered entities and business associates will need to perform a risk assessment to determine if a significant risk of harm to the individual as a result of the impermissible use or disclosure. In performing the risk assessment, covered entities and business associates should consider a number of factors.  Five factors that should be considered to assess the likely risk of harm:

• Nature of the Data Elements Breached. The nature of the data elements compromised is a key factor to consider in determining when and how notification should be provided to affected individuals.41 It is difficult to characterize data elements as creating a low, moderate, or high risk simply based on the type of data because the sensitivity of the data element is contextual. A name in one context may be less sensitive than in another context.42 In assessing the levels of risk and harm, consider the data element(s) in light of their context and the broad range of potential harms flowing from their disclosure to unauthorized individuals.
• Number of Individuals Affected. The magnitude of the number of affected individuals may dictate the method(s) you choose for providing notification, but should not be the determining factor for whether an agency should provide notification.
• Likelihood the Information is Accessible and Usable. Upon learning of a breach, agencies should assess the likelihood personally identifiable information will be or has been used by unauthorized individuals. An increased risk that the information will be used by unauthorized individuals should influence the agency’s decision to provide notification.

(See OMB Memorandum M-07-16, page 14)(avaliable at http://www.whitehouse.gov/OMB/memoranda/fy2007/m07-16.pdf).

HHS notes that the fact the information has been lost or stolen does not necessarily mean it has been or can be accessed by unauthorized individuals.  A June 2007 GAO Report entitled “PERSONAL INFORMATION- Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown” (Dated June 2007) expands upon this rather important point.  The GAO report reviewed the 24 largest breaches reported in the media from January 2000 through June 2005 finding that:

1. Only in three instances were there any evidence of resulting fraud on existing accounts and only one instance of the three identified cases did the GAO find evidence of unauthorized creation of new accounts;
2. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and
3. In the remaining two cases there was not sufficient information to make a determination.

Practical Steps in the Event of a Breach

In the comments to the new Breach Reporting Rules, HHS provides a basic overview of the steps to follow in order to determine whether the entity has breach reporting obligations.  The recommended steps are as follows:

Step 1 – Determine whether the disclosure or use of PHI was impermissible under the HIPAA Privacy Rule.

Step 2 – Determine whether the PHI was “secured” or “unsecured,” and whether the impermissible use or disclosure of PHI compromises the security or privacy of such PHI, and document its process and determination.  The use or disclosure would be impermissible if it poses a “significant risk of financial, reputational, or other harm to the individual.”

Step 3 -   Determine whether the use or disclosure falls under one of the exceptions to the definition of a “breach.”  The exceptions to the definition of a “breach” are: (i) any unintentional access or use of PHI by a Covered Entity’s or Business Associate’s workforce or person acting under the authority thereof, if such access was in good faith, within that person’s scope of authority, and did not result in further impermissible use or disclosure of the PHI; (ii) any inadvertent disclosure by a person who is authorized to have access to such PHI to another authorized person at the same Covered Entity or Business Associate, or organized health care arrangement in which the Covered Entity participates, and the PHI disclosed is not further used or disclosed in an impermissible manner; and (iii) disclosure of PHI where the Covered Entity or Business Associate has a good faith believe that the unauthorized person who received the PHI would not reasonably have been able to retain such PHI.

If the breach poses a significant risk to the individual whose PHI was disclosed, and the disclosure does not fall under one of the enumerated exceptions to the definition of a “breach,” the entity must take the following step:

Step 4 – Provide appropriate notice of the breach in accordance with the Breach Reporting Rules.

Regardless of whether a breach is in violation of the Privacy Rule or Security Rule and raises reporting obligations under the Breach Reporting Rules, the entity may have reporting obligations under state security breach reporting laws that are not preempted by the Privacy Rule or Security Rule.  Therefore, it would be prudent for the entity to take the following additional step:

Step 5 – Determine whether the breach raises any additional reporting obligations under applicable state security breach reporting laws.

          

Interim Final Rule on Breach Notification for HIPAA Covered Entities and Business Associates Released by HHS (Effective September 23, 2009) & FTC Releases Final Guidance on PHR Security Breach Notification Requirements originally appeared on Law Blog 2.0 on August 21, 2009.

HIPAA Enforcement

CMS had taken limited actions to ensure that covered entities adequately implement the HIPAA Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. Although authorized to do so by Federal, regulations as of February 16,2006, CMS had not conducted any HIPAA Security Rule compliance reviews of covered entities. To fulfill its oversight responsibilities, CMS relied on complaints to identify any noncompliant covered entities that it might investigate. As a result, CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected.

It appears HHS has taken this critique to heart.  HHS recently released notice of an important shift in the internal responsibility/delegation of authority for the monitoring and enforcement of the HIPAA Security Rule (and all additional health IT-related security responsibilities, under ARRA).  Previously responsibility for administering (interpretation, education, guidance, FAQs, etc), monitoring and enforcing the HIPAA Security Rule was a CMS responsibility (specifically, the CMS Office of E-Standards and Services or CMS/OESS).  The administration, monitoring and enforcement of the HIPAA Privacy Rule fell under the Office for Civil Rights (OCR).

As of July 27, 2009 CMS no longer will handle enforcement of the HIPAA Security Rule.  HHS has made the decision to transfer the responsibility to OCR, which will now have the administrative and enforcement authority for both the HIPAA Privacy and HIPAA Security Rules, in addition to all the new ARRA provision on privacy and security (covering security of EHRs).  The Notice will be officially published August 4, 2009 in the Federal Register. (http://www.federalregister.gov/OFRUpload/OFRData/2009-18561_PI.pdf)

Over the past few years since the enactment of both HIPAA Rules, OCR and CMS have worked together on the administration and enforcement of the two rules.  According to their accounting of complaints and cases brought forward, the majority included both Privacy and a Security component.  In addition, the ARRA will result in increased security and enforcement of personal health information on EHRs, it seems HHS thought it would be the right time to make this transition and have a single office within the agency handle both related areas.

It is expected that people will be able to continue filing complaints through the same online system and that during a transition period, CMS will continue to work and now assist OCR in administering the Security enforcement responsibilities, as well as the administration of the Rule.  Increased enforcement is extremely likely.

          

HHS Tranfers Enforcement of the HIPAA Security Rule to OCR (Office of Civil Rights) originally appeared on Law Blog 2.0 on August 5, 2009.