This article discusses techniques for implementing the updated requirements of the HIPAA Security Rule, with particular focus on strategies for assessing the effectiveness of implemented security controls to support compliance and audit, as well as a covered entity’s (or business associate) overarching risk management program in the context of HIPAA Compliance. Covered entities are becoming more pro-active in monitoring their business associate compliance with HIPAA privacy and security regulations and the recent changes largely the product of the HITECH Act. In the past I have used a series of questions to ascertain the compliance status of business associates to comply with HIPAA privacy and security rules. I find it useful to map security controls to NIST Special Publication 800-53. The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. The controls are included in the final version of Special Publication 800-53, Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations,” released in August of 2009. (Available at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf). [...]
|
|||||
|
By Robert Hudock, on November 29th, 2009
 Print This PostNovember 29th, 2009 | Tags: 800-53, 800-66, compliance, HIPAA, HITECH Act, NIST, security controls | Category: American Recovery and Reinvestment Act, Data Hemorrages, Destruction, Encryption, FIPS 140-2, Federal Agencies, HIPAA Security, HITECH Act, Health Information Technology, Health Reform, Health and Humans Services (HHS), Individually identifiable health information, Interoperability, Meaningful Use, Media Sanitization, NIST, Office of Civil Rights, Privacy, SSL VPNs, anonymization, unsecured protected health information |
5 comments
Print This PostBy Robert Hudock, on November 17th, 2009
Print This PostNext year should be interesting. From Red Flag compliance, federal breach reporting requirements, significantly augmented HIPAA penalties, and HIPAA security standards that are based on NIST guidelines will change the traditional compliance model for Covered Entities and Business Associates. Hot topics for enforcement next year (based on recent CMS audits of their business partners) will likely be in the areas encryption of portable media devices, remote access by employees to protected health information, and failure to document a rational risk management [...] November 17th, 2009 | Tags: ARRA, breach, EHR, Encryption, enforcement actions, FISMA, HIPAA, Interoperability, NIST, OIG, security | Category: American Recovery and Reinvestment Act, EMR, Encryption, FIPS 140-2, HIPAA Security, HITECH Act, Health Information Technology, Health and Humans Services (HHS), Interoperability, Meaningful Use, NIST, unsecured protected health information |
2 comments
Print This PostBy Robert Hudock, on October 12th, 2009
Print This PostGenerally in the event of a “breach” of “unsecured” PHI, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached. (45 C.F.R. § 164.404(a)(1).) Despite the obvious utility of the new harm standard, a few privacy advocates (and four United States congressmen) have expressed displeasure with the new HHS harm standard. An October 1st letter from congressional leaders sent to HHS Secretary Sebelius argues that the ARRA did not imply a harm standard in the breach notification requirements, and requests that HHS repeal the harm standard that was included in the interim final regulations on Breach Notification for Unsecured Protected Health Information. [...] October 12th, 2009 | Tags: ARRA, Computer Security, congress, Democrat, Dingell, harm standard, HIPAA, HITECH, Pallone, rangel, Waxman | Category: HIPAA Security, HITECH Act, Health Reform, Health and Humans Services (HHS), Privacy |
4 comments
Print This PostBy Robert Hudock, on September 22nd, 2009
Print This PostI am a little unclear as to why privacy advocates and security vendors believe that the harm standard, found within the new HHS regulations for security breaches, in any way hampers the HITECH Act’s security breach notice rule for covered entities and business associates. Many states use a similar risk based type analysis, in fact only seven states have a strict acquisition based standard, of those only a couple of these states link their definition of encryption to FIPS 140-2. In comparison to risk based states where one assesses the potential risk to a consumer resulting from theft of sensitive informatioin, the federal standard is more helpful in the sense that it highlights key criteria to be evaluated in assessing risk to consumers. [...] September 22nd, 2009 | Tags: fear mongering, FIPS 140-2, FISMA, harm standard, HIPAA, OMB, Risk Analysis, security incident | Category: Computer Security Law -- Federal, Data Hemorrages, Encryption, FIPS 140-2, HIPAA Privacy, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Identity Theft, Individually identifiable health information, NIST, Privacy, State Security Breach Laws, unsecured protected health information |
One comment
Print This PostBy Kristen McDonald, on September 15th, 2009
Print This PostWhat happens if the offices of a covered entity are broken into and unsecured protected health information (PHI) of more than 500 individuals is stolen? With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 the ramifications to the covered entity and potential liability stemming from such a breach2 are significant to say the least. Not only is the covered entity required to notify the affected individuals of the breach of unsecured PHI,3 but also the covered entity must notify the media and the Department of Health and Human Services Secretary (HHS Secretary) of potentially damaging information concerning the breach. The HITECH Act’s requirement to report details of a significant breach not only to the affected individuals but also to the media and the Secretary may negatively impact the covered entity’s goodwill in the community and cause a loss of business. Of particular concern to the covered entity’s litigation counsel, though, is the potential liability that the covered entity may face due to the [...] September 15th, 2009 | Tags: Damages, HHS, HIPAA, HITECH Act, litigation, PHI, security, significant breach, unsecured PHI | Category: Computer Security Law -- Federal, Damages, HIPAA Privacy, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Identity Theft, Individually identifiable health information, Office of Civil Rights, unsecured protected health information |
One comment
Print This PostBy Robert Hudock, on September 8th, 2009
Print This PostSecurity Incidents can be accidental incursions or deliberate attempts to break into systems and can be benign to malicious in purpose or consequence, each incident requires a careful response at a level commensurate with its potential impact to the security of individuals and your organization as a whole however few organizations have an appropriate security incident policy. The fundamental components of a security incident response plan include the following — [...] September 8th, 2009 | Tags: malicious hackers, malware, NIST, policy, Privacy, security, security incident | Category: Computer Security Law -- Federal, Data Hemorrages, FTC Security Breach Notification, Forensic Tools, HIPAA Privacy, HIPAA Security, Identity Theft, Law and Technology, Media Sanitization, NIST, Peer-2-Peer File Sharing, Privacy, State Privacy and Computer Security Laws, State Security Breach Laws |
2 comments
Print This PostBy Robert Hudock, on August 21st, 2009
Print This PostRegulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when personal health information is breached were issued August 19th, 2009, by the U.S. Department of Health and Human Services (HHS). These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 [...] August 21st, 2009 | Tags: Data at Rest, Data Disposed, Data in Motion, Data in Use, Destruction, Encryption, FTC, Health Breach Notification Rule - FTC, HHS, HIPAA, OCR, paper, redaction, Report, security breach | Category: American Recovery and Reinvestment Act, Computer Security Law -- Federal, Encryption, FIPS 140-2, FTC Security Breach Notification, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Media Sanitization, NIST, Office of Civil Rights, unsecured protected health information |
Leave a comment
Print This PostBy Robert Hudock, on August 18th, 2009
Print This PostNIST approved XTS-AES for the secure encryption of block devices in NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices (Draft August 2009)(available at http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf) subject to a caveat on the file size. The number of blocks that can be securely encrypted using this method is 2^20 blocks. The Advanced Encryption Standard (AES) is a FIPS-approved cryptographic algorithm (Rijndael, designed by Joan Daemen and Vincent Rijmen, published in 1998) that may be used by US federal departments and agencies to cryptographically protect sensitive information. There are various modes of operation some of them are approved by NIST FIPS 140-2. NIST’s decision approves the use of XTS-AES for encrypting block devices (hard drives, optical media, etc.) is particularly significant because TrueCrypt is an open source implementation of [...] August 18th, 2009 | Tags: Ciphertext Stealing, csrc, IEEE, NIST, Standard 1619-2007, TrueCrypt, truecrypt certified by NIST, XEX, XTS-AES | Category: Computer Security Law -- Federal, FIPS 140-2, HIPAA Security, NIST |
Leave a comment
Print This PostBy Robert Hudock, on August 5th, 2009
Print This PostIt appears HHS has taken this critique to heart. HHS recently released notice of an important shift in the internal responsibility/delegation of authority for the monitoring and enforcement of the HIPAA Security Rule (and all additional health IT-related security responsibilities, under ARRA). Previously responsibility for administering (interpretation, education, guidance, FAQs, etc), monitoring and enforcing the HIPAA Security Rule was a CMS responsibility (specifically, the CMS Office of E-Standards and Services or CMS/OESS). The administration, monitoring and enforcement of the HIPAA Privacy Rule fell under the Office for Civil Rights [...] August 5th, 2009 | Tags: CMS, HHS, HIPAA, OCR, Poor Enforcement | Category: CMS, Enforcement, HIPAA Security, Health and Humans Services (HHS), Office of Civil Rights, Privacy Law |
Leave a comment
Print This PostImprove the web with Nofollow Reciprocity. |
|||||
|
Copyright © 2010 Law Blog 2.0 - Robert Hudock, Esq., CISSP - All Rights Reserved - This Blog is a personal blog of Robert Hudock. |
|||||
Office of the National Coordinator — Time to Reorganize.
On December 1st, 2009 the Office of the Secretary of the Office of the National Coordinator (ONC) for Health Information Technology announced the creation of a new Chief Privacy Office and the Office of Economic Modeling and Analysis (among three others including the Office of Chief Scientist, Deputy National Coordinator for Programs & Policy, and Deputy National Coordinator for Operations). The New Chief Privacy Officer is a necessary creation under the ARRA (and the HITECH Act). This role is different from the other positions that seem to be a re-organization of roles and responsibilities that already existed to some extent just with more specificity around functions and duties. Aside from the Chief Privacy Officer the New Economic Modeling and Analysis Position seems like a timely creation given recent articles discussing whether Health Information Technology and more specifically Electronic Health Record Systems (EHRs) actually reduce the cost of care and/or increase the quality of care. Also of note, the new Office of the Deputy National Coordinator for Programs and Policy will be responsible for the open source Connect initiative and the National Health Information [...]