This page contains news stories from 2008
Click for the latest news stories
Click for the Directory of News Stories
New OCR Guidance on HIPAA Privacy Rule and Electronic Health Information Exchanges
On December 15, 2008, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced new HIPAA Privacy Rule guidance designed to establish privacy and security principles for the electronic exchange of health information, including tools to facilitate implementation of these principles. In addition, the guidance includes documents that address electronic access by an individual to his or her protected health information and how the Privacy Rule may apply to and supports the use of Personal Health Records.
The documents are available at http://www.hhs.gov/ocr/hipaa/hit/. Of particular interest is new guidance on using e-mail to communicate with patients, on pages 3 and 4 of http://www.hhs.gov/ocr/hipaa/hit/SafeguardsPrinciple.pdf. For more information on the Privacy and Security Framework and the Toolkit, see http://www.hhs.gov/healthit/privacy/framework.html.
HHS and Dept. of Education Release Joint Guidance on Student Health Records, HIPAA, and FERPA
On December 2, 2008, the US Departments of Health and Human Services and Education announced joint guidance on the application of HIPAA and FERPA to student health records. The guidance is available at:
http://www.hhs.gov/ocr/hipaa/HIPAAFERPAjointguide.pdf
Study Shows Healthcare Workers Put Mobile Info At Risk
On November 20, 2008, vnunet.com news published a story on a report based on a survey of US and UK health workers, showing that a third keep unsecured health information on portable devices (such as laptops, BlackBerrys, and USB sticks), a fifth use their own portable devices, and, in the US,18% keep sensitive patient information with no protection whatsoever. See the story at:
http://www.vnunet.com/vnunet/news/2230989/healthcare-workers-putting
Massachusetts Pushes Back Information Security Deadlines
On November 14, 2008, the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) announced postponement of the compliance deadline for new information security regulations for businesses operating in Massachusetts from January 1, 2009 to May 1, 2009, citing economic conditions and a desire to synchronize with the new compliance deadline for the FTC Red Flags Rule, also May 1, 2009. The OCABR press release is available at: http://tinyurl.com/6x6xwv and a story in Computerworld is available at: http://tinyurl.com/6lur52
Express Scripts Records for Millions May Be Exposed
On November 6, 2008, pharmacy benefits manager Express Scripts revealed that they received a letter stating that if they don't pay a ransom, millions of patient records will be exposed. Information for 75 of those patients was included in the demand letter; those patients have been notified of the breach. An investigation to determine the cause and extent of the breach is continuing. See:
http://www.esisupports.com/
New York State Releases Business Privacy Guide
In October, 2008, the New York State Consumer Protection Board released its Business Privacy Guide, entitled How to Handle Personal Information and Limit the Prospects of Identity Theft, a sixteen page guide to discussing issues in identifying and securing personal information, educating customers and employees, and planning for how to respond to a data breach, including the form to be used to report breaches to the state. The guide is available at: http://www.nysconsumer.gov/pdf/the_new_york_business_guide_to_privacy.pdf
NIST Releases Guidance for Cell Phone and PDA Usage
On October 31, 2008, the National Institute of Standards and Technology (NIST) Computer Security Division announced the release of Special Publication 800-124, Guidelines on Cell Phone and PDA Security. It provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights into making informed information technology security decisions on their treatment. SP 800-124 gives details about the threats and technology risks associated with the use of these devices and the available safeguards to mitigate them. The Executive Summary of this report is highly recommended reading for all cell phone and PDA users. SP 800-124 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-124
HHS OIG Slams CMS HIPAA Security Rule Enforcement
On October 27, 2008, the Office of the Inspector General (OIG) of the US Department of Health and Human Services (HHS) released a report critical of the HHS Center for Medicare and Medicaid Services (CMS)'s enforcement of the HIPAA Security Rule, stating that CMS's complaint-based process was not addressing numerous, significant vulnerabilities found through OIG's own HIPAA Security Rule compliance assessments. It may be expected that the new CMS Security Rule compliance assessment activities are here to stay, as a result of this report. The report is available at:
http://oig.hhs.gov/oas/reports/region4/40705064.pdf
Revision 1 of NIST HIPAA Security Rule Guidance Released
On October 24, 2008, the National Institute of Standards and Technology Computer Security Division released Special Publication (SP) 800-66 Revision 1, an update to An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The updated guide is at:
http://csrc.nist.gov/publications/PubsSPs.html#800-66-Rev1
FTC Enforcement of Red Flags Rule Delayed Until May 1, 2009
On October 22, 2008, the Federal Trade Commission (FTC) announced that it will suspend enforcement of the "Red Flags Rule" until May 1, 2009 in order to allow more time for entities to establish "identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft." The press release from the FTC is available at:
http://www.ftc.gov/opa/2008/10/redflags.shtm
Nevada Encryption Requirement Now In Effect; Massachusetts to Require Security and Encryption of Personal Information
On October 1, 2008, new rules go into effect in Nevada requiring the encryption of personal information transmitted by businesses. On September 19, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation adopted security regulations that go into effect January 1, 2009, including requirements to protect the security of personal information, encrypt personal data in transmission, and encrypt any personal data on laptops or portable media.
• An article on this topic by the Nelson Mullins law firm is available at http://tinyurl.com/5wpom9or http://www.nelsonmullins.com/news/nelson-
mullins-newsletter_detail.cfm?id=D7A4E5E8-BC78-75E4-2F2747ABDF965D97
• The Nevada law, Nev. Rev. Stat. § 597.970(1) (2005), is available at: http://www.leg.state.nv.us/Nrs/NRS-597.html#NRS597Sec970
• The Massachusetts Office of Consumer Affairs and Business Regulation press release is available at http://tinyurl.com/4vaytu or
http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=
pressrelease&f=080922_IDTheft_regsandexecorder&csid=Eoca
• The Massachusetts regulation, effective January 1, 2009 is available at http://tinyurl.com/4qw2g5 or http://www.mass.gov/?pageID=ocaterminal&L=
3&L0=Home&L1=Consumer&L2=Identity+Theft&sid=Eoca&b=terminalcontent
&f=idtheft_201cmr17&csid=Eoca
California Increases Penalties for Breaches, Snooping
On October 1, 2008, California adopted stringent new requirements for timeliness in reporting health data privacy and security breaches, new penalties of up to $250,000for breaches and for unauthorized viewing of health information, and rights for individuals to sue those responsible for breaches. An article in Computerworld magazine is available at: http://tinyurl.com/6yr4ye
The two new bills are SB 541, available at: http://tinyurl.com/5ffchl or http://info.sen.ca.gov/pub/07-08/bill/sen/sb_0501-0550/sb_541_bill_20080930_chaptered.pdf
and AB 211, available at: http://tinyurl.com/6dh8mj or
http://info.sen.ca.gov/pub/07-08/bill/asm/ab_0201-0250/ab_211_bill_20080930_chaptered.pdf
PCI Data Security Standard Version 1.2 Released
On October 1, 2008, the PCI Security Standards Council released version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS), including improved flexibility and an updating of some practices. The PCI DSS is on a two-year update cycle and has incorporated feedback gathered since version 1.1 was released in 2006. The new version, while not including major changes, does revise and clarify numerous sections, as shown by the 14-page summary of changes from version 1.1, available at: http://tinyurl.com/64hfgs or https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf
The announcement is available at: https://www.pcisecuritystandards.org/pdfs/pr_080930_PCIDSSv1-2.pdf
Version 1.2 and its supporting documentation are available at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
NIST Releases Technical Guide for Testing, Assessment
On October 1, 2008, the National Institute of Standards and Technology (NIST) released Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, designed to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures. SP 800-115 is available at: http://csrc.nist.gov/publications/PubsSPs.html#SP800-115
World Privacy Forum Provides Red Flags Rule Suggestions
On September 24, 2008, the World Privacy Forum released a report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers, outlining the applicability of the FTC Red Flag Rules, enforceable as of November 1, 2008, and providing suggestions on how hospitals and health care providers can meet the requirements, including the adoption of written identity theft prevention programs. The report is available on the World Privacy Forum's Medical Identity Theft page. September 2016 Update: The Medical Identity Theft page is now at: https://www.worldprivacyforum.org/category/med-id-theft/ and the report is available at: https://www.worldprivacyforum.org/2009/09/report-red-flag-rule/
HIPAA Security Compliance Review Example Posted by HHS
On August 7, 2008 the U.S. Department of Health and Human Services (HHS) Center for Medicare and Medicaid Services (CMS) posted a brief summary of an example HIPAA Security Rule compliance review, conducted as the result of a complaint related to a lost laptop computer. The review summary describes the process used and conclusions reached, and includes highlights of the corrective action plan taken by the facility. The HHS CMS HIPAA enforcement site (for all issues except those relating to the Privacy Rule, which is enforced by the HHS Office of Civil Rights) is at http://www.cms.hhs.gov/Enforcement/ and the review page is: http://www.cms.hhs.gov/Enforcement/09_HIPAAComplianceReviewExamples.asp
FTC "Red Flags Rule" Enforceable as of November 1, 2008
On October 31, 2007, the Federal Trade Commission issued Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy, applicable to financial institutions and creditors, effective January 1, 2008. The rules require covered institutions to adopt programs to combat identity theft related to their accounts, and are enforceable beginning November 1, 2008. For the FTC's initial announcement, please see http://www.ftc.gov/opa/2007/10/redflag.shtm
For the text of the rule itself, from the Federal Register, please see http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
The FTC's June 2008 Business Alert about Red Flag requirements is available at: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.pdf The National Conference of State Legislatures hosts a listing of state identity theft laws at: http://www.ncsl.org/programs/lis/privacy/idt-statutes.htm
Providence Health & Services Hit With HIPAA Fines and Corrective Action for Privacy and Security Rule Violations
On July 17, 2008, the Department of Health and Human Services (HHS) announced it had reached an agreement with Seattle-based Providence Health & Services to settle HIPAA complaints related to the loss of laptops and backup media with information on over 386,000 patients in 2005 and 2006. Providence will pay a $100,000 fine and be subject to a "robust" Corrective Action Plan involving the adoption of policies and procedures, training, audits, and reporting on compliance to HHS for three years. A statement on the agreement is available on the HHS web site at http://www.hhs.gov/ocr/privacy/enforcement/resolution.html
Draft NIST Guidelines for Cell Phones & PDAs, and Firewalls
On July 7, 2008 the National Institute of Standards and Technology (NIST) released draft security guidelines providing an overview of cell phone and personal digital assistant (PDA) devices in use today and insights for making informed information security decisions regarding their treatment. The four-page executive summary should be read by all users of such devices. Draft SP 800-124 gives details about the threats, technology risks, and safeguards, and is available at: http://csrc.nist.gov/publications/drafts/800-124/Draft-SP800-124.pdf
On July 9, 2008, NIST released a draft of Revision 1 of Special Publication 800-41, Guidelines on Firewalls and Firewall Policy. Draft SP 800-41 Rev. 1 provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls. While SP 800-41 may be most useful to network specialists, it does provide an excellent technology overview that is quite useful to non-technical types as well. The Rev. 1 draft is available at: http://csrc.nist.gov/publications/drafts/800-41-Rev1/Draft-SP800-41rev1.pdf
More Than 88% of States Have Security Breach Notice Laws
As of June 20, 2008, at least 44 states, the District of Columbia, and Puerto Rico now have information security breach notification laws in place. If your business or any of your customers or employees are located in any of these states, you must comply with their breach notification laws.
To see if your state or your customers' or employees' states have breach notification laws, please see the National Conference of State Legislatures' Web site at: http://www.ncsl.org/programs/lis/cip/priv/breach.htm
Verizon Releases Data Breach Investigations Report
In June, 2008, the Verizon Business Risk Team released its 2008 Data Breach Investigations Report, which studies more than 500 cases over four years and comes to several worrying conclusions, such as that two-thirds of incidents involved data the victim did not even know was on the system, three-quarters of breaches were not discovered by the victim, and 87% were avoidable through reasonable controls. In addition, more than 40% of breaches involved business partners of the victim, a five-fold increase since 2004. The report is exceptionally well-founded and includes recommendations on simple steps to be taken to prevent breaches.
To download a copy of the report, please visit:
http://www.verizonbusiness.com/resources/security/databreachreport.pdf
House Considers Tightening HIPAA Privacy and Security
A May 22, 2008 draft bill (HR 6357, the Protecting Records, Optimizing Treatment, and Easing Communication through Health Care Technology Act, or PROTECT Act) circulating in the U.S. House of Representatives would offer grants for the adoption of electronic medical records, would directly cover healthcare business associates under HIPAA, would require notification of patients in the event of a security breach, and would require accounting of all disclosures of electronic health information for treatment, payment, and operations, among other provisions. The draft language is available at: http://energycommerce.house.gov/HealthIT_2008/hitec_003_xml.pdf
July 1, 2008 update: The bill passed the Health Subcommittee of the House Energy and Commerce Committee by voice vote June 25, 2008, and awaits consideration by the House Science and Technology and Ways and Means Committees. Negotiations on the Senate version (S 1693) are continuing.
July 22, 2008 update: Story in Healthcare IT News: The Committee on Energy and Commerce announced it will mark up the PRO(TECH)T Act of 2008 Wednesday (7/23) in an effort to move healthcare IT legislation through Congress before the close of the year. See the complete article at: http://www.healthcareitnews.com/story.cms?id=9621&page=1
July 23, 2008 update: Approved as amended in Energy and Commerce committee by voice vote. Includes new consent requirements for the use of information in healthcare operations. Next up are Science and Technology, and Ways and Means Committees.
NIST Announces Draft of Update to HIPAA Security Guide
On May 2, 2008, the National Institute of Standards and Technology announced the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This guide discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule. The draft is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-66-Rev1
PCI Security Standards Council Updates Standard
On April 22, 2008 The PCI Security Standards Council announced further clarification for PCI DSS requirement 11.3, regarding penetration testing, which includes network and application layer testing, as well as controls and processes around the networks and applications, and Requirement 6.6, which becomes effective on June 30, 2008, regarding application code review and application firewalls, providing two options which are intended to address common threats to cardholder data and ensure that input to web applications from un-trusted environments is fully inspected. The announcement is available at: https://www.pcisecuritystandards.org/pdfs/04-22-08.pdf and the information supplements detailing the updates are available at: https://www.pcisecuritystandards.org/tech/supporting_documents.htm
NIST Releases Revised Security Incident Handling Guide
On March 7, 2008 the National Institute of Standards and Technology (NIST) released a revision of the Computer Security Incident Handling Guide, NIST SP 800-61 Revision 1. According to the announcement, the revised guide "seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents." The revised guide is available at:
http://csrc.nist.gov/publications/PubsSPs.html#800-61_Rev1
CMS Says What They'll Ask For At HIPAA Security Reviews
On February 20, 2008, CMS posted on its Web site a two-page list of individuals to be interviewed and information to be requested in the course of the HIPAA Security Compliance Reviews being conducted in 2008. CMS cautions in their Web page on enforcement that "the document is not a comprehensive list of applicable investigation/review areas nor does it attempt to address all non-compliance scenarios," meaning it's really only a starting point for a general evaluation, and different information may be requested in different cases depending on circumstances. CMS's page on HIPAA enforcement is at:
http://www.cms.hhs.gov/Enforcement/025_GeneralEnforcementInformation.asp
The Information Request for Onsite Compliance Reviews is at:
http://www.cms.hhs.gov/Enforcement/Downloads/InformationRequestforComplianceReviews.pdf
or http://tinyurl.com/2gaswf
PCI Self-Assessment Questionnaire Updated
On February 6, 2008, the PCI Security Standards Council released a new set of self-assessment questionnaires for merchants and service providers processing payment cards. The new questionnaire, version 1.1, comes in four versions to be used depending on on how payments are processed. The press release is available at: https://www.pcisecuritystandards.org/pdfs/02-06-08.pdf The questionnaire is available at: https://www.pcisecuritystandards.org/tech/saq.htm
CMS Announces HIPAA Security Compliance Reviews
At the January 16, 2008 CMS/NIST workshop on HIPAA Security (attended by Jim Sheldon-Dean) CMS officials announced that they plan to review compliance with the HIPAA Security Rule at 10 to 20 hospitals over the next nine months. With the assistance of contractor PriceWaterhouseCoopers, CMS will review one facility with an eye to refining the review process, and then will apply the process to the remainder of the target institutions, which will typically include hospitals about which CMS has received complaints, and hospitals handling large numbers of records, in this first round of Security Rule enforcement action.
http://www.govhealthit.com/online/news/350176-1.html?type=pf
Foreign Hackers Seeking Health Information
At the same January 16, 2008 CMS/NIST workshop, Homeland Security Analyst Mark Walker said that foreign hackers, primarily from Russia and China, are focusing increasingly on health information. He said that a virus had been placed on a CMS server in 2007, among several issues, and called for reporting of all health data breaches to authorities.
http://www.fcw.com/online/news/151334-1.html?type=pf
California Breach Law Now Includes Health Information
As of January 1, 2008, the California Information Security Breach Notification law has been expanded to include electronic medical information and health insurance information. The original California law was the first such law in the nation, and spawned similar legislation now in effect in more than two-thirds of US states. It may be expected that other states will follow California's lead once again.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/01/04/BUR6U9000.DTL
Click for the latest news stories
Click for the Directory of News Stories