2008 News Stories

This page contains news stories from 2008

Click for the latest news stories

Click for the Directory of News Stories

New OCR Guidance on HIPAA Privacy Rule and Electronic Health Information Exchanges

On December 15, 2008, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced new HIPAA Privacy Rule guidance designed to establish privacy and security principles for the electronic exchange of health information, including tools to facilitate implementation of these principles.  In addition, the guidance includes documents that address electronic access by an individual to his or her protected health information and how the Privacy Rule may apply to and supports the use of Personal Health Records. 

The documents are available at http://www.hhs.gov/ocr/hipaa/hit/.  Of particular interest is new guidance on using e-mail to communicate with patients, on pages 3 and 4 of http://www.hhs.gov/ocr/hipaa/hit/SafeguardsPrinciple.pdf.  For more information on the Privacy and Security Framework and the Toolkit, see http://www.hhs.gov/healthit/privacy/framework.html.   

HHS and Dept. of Education Release Joint Guidance on Student Health Records, HIPAA, and FERPA

On December 2, 2008, the US Departments of Health and Human Services and Education announced joint guidance on the application of HIPAA and FERPA to student health records.  The guidance is available at:  

Study Shows Healthcare Workers Put Mobile Info At Risk

On November 20, 2008, vnunet.com news published a story on a report based on a survey of US and UK health workers, showing that a third keep unsecured health information on portable devices (such as laptops, BlackBerrys, and USB sticks), a fifth use their own portable devices, and, in the US,18% keep sensitive patient information with no protection whatsoever.  See the story at: 

Massachusetts Pushes Back Information Security Deadlines

On November 14, 2008, the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) announced postponement of the compliance deadline for new information security regulations for businesses operating in Massachusetts from January 1, 2009 to May 1, 2009, citing economic conditions and a desire to synchronize with the new compliance deadline for the FTC Red Flags Rule, also May 1, 2009.  The OCABR press release is available at: http://tinyurl.com/6x6xwv and a story in Computerworld is available at: http://tinyurl.com/6lur52

Express Scripts Records for Millions May Be Exposed

On November 6, 2008, pharmacy benefits manager Express Scripts revealed that they received a letter stating that if they don't pay a ransom, millions of patient records will be exposed.  Information for 75 of those patients was included in the demand letter; those patients have been notified of the breach.  An investigation to determine the cause and extent of the breach is continuing.  See: 

New York State Releases Business Privacy Guide

In October, 2008, the New York State Consumer Protection Board released its Business Privacy Guide, entitled How to Handle Personal Information and Limit the Prospects of Identity Theft, a sixteen page guide to discussing issues in identifying and securing personal information, educating customers and employees, and planning for how to respond to a data breach, including the form to be used to report breaches to the state.  The guide is available at:  http://www.nysconsumer.gov/pdf/the_new_york_business_guide_to_privacy.pdf

NIST Releases Guidance for Cell Phone and PDA Usage

On October 31, 2008, the National Institute of Standards and Technology (NIST) Computer Security Division announced the release of Special Publication 800-124, Guidelines on Cell Phone and PDA Security. It provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights into making informed information technology security decisions on their treatment. SP 800-124 gives details about the threats and technology risks associated with the use of these devices and the available safeguards to mitigate them. The Executive Summary of this report is highly recommended reading for all cell phone and PDA users.  SP 800-124 is available at:  http://csrc.nist.gov/publications/PubsSPs.html#800-124

HHS OIG Slams CMS HIPAA Security Rule Enforcement

On October 27, 2008, the Office of the Inspector General (OIG) of the US Department of Health and Human Services (HHS) released a report critical of the HHS Center for Medicare and Medicaid Services (CMS)'s enforcement of the HIPAA Security Rule, stating that CMS's complaint-based process was not addressing numerous, significant vulnerabilities found through OIG's own HIPAA Security Rule compliance assessments.  It may be expected that the new CMS Security Rule compliance assessment activities are here to stay, as a result of this report.  The report is available at:   

Revision 1 of NIST HIPAA Security Rule Guidance Released

On October 24, 2008, the National Institute of Standards and Technology Computer Security Division released Special Publication (SP) 800-66 Revision 1,  an update to An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  The updated guide is at:  

FTC Enforcement of Red Flags Rule Delayed Until May 1, 2009

On October 22, 2008, the Federal Trade Commission (FTC) announced that it will suspend enforcement of the "Red Flags Rule" until May 1, 2009 in order to allow more time for entities to establish "identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft."  The press release from the FTC is available at: 

Nevada Encryption Requirement Now In Effect; Massachusetts to Require Security and Encryption of Personal Information

On October 1, 2008, new rules go into effect in Nevada requiring the encryption of personal information transmitted by businesses.  On September 19, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation adopted security regulations that go into effect January 1, 2009, including requirements to protect the security of personal information, encrypt personal data in transmission, and encrypt any personal data on laptops or portable media.  

• An article on this topic by the Nelson Mullins law firm is available at  http://tinyurl.com/5wpom9or http://www.nelsonmullins.com/news/nelson-
• The 
Nevada law, Nev. Rev. Stat. § 597.970(1) (2005), is available at:  http://www.leg.state.nv.us/Nrs/NRS-597.html#NRS597Sec970
• The Massachusetts Office of Consumer Affairs and Business Regulation press release is available at http://tinyurl.com/4vaytu or 
• The Massachusetts regulation, effective January 1, 2009 is available at  http://tinyurl.com/4qw2g5 or http://www.mass.gov/?pageID=ocaterminal&L=

California Increases Penalties for Breaches, Snooping

On October 1, 2008, California adopted stringent new requirements for timeliness in reporting health data privacy and security breaches, new penalties of up to $250,000for breaches and for unauthorized viewing of health information, and rights for individuals to sue those responsible for breaches.  An article in Computerworld magazine is available at: http://tinyurl.com/6yr4ye
The two new bills are SB 541, available at: http://tinyurl.com/5ffchl or   
and AB 211, available at: http://tinyurl.com/6dh8mj or   

PCI Data Security Standard Version 1.2 Released

On October 1, 2008, the PCI Security Standards Council released version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS), including improved flexibility and an updating of some practices.  The PCI DSS is on a two-year update cycle and has incorporated feedback gathered since version 1.1 was released in 2006.  The new version, while not including major changes, does revise and clarify numerous sections, as shown by the 14-page summary of changes from version 1.1, available at: http://tinyurl.com/64hfgs or https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf
The announcement is available at: https://www.pcisecuritystandards.org/pdfs/pr_080930_PCIDSSv1-2.pdf
Version 1.2 and its supporting documentation are available at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

NIST Releases Technical Guide for Testing, Assessment

On October 1, 2008, the National Institute of Standards and Technology (NIST) released Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, designed to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures. SP 800-115 is available at: http://csrc.nist.gov/publications/PubsSPs.html#SP800-115

World Privacy Forum Provides Red Flags Rule Suggestions

On September 24, 2008, the World Privacy Forum released a report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers, outlining the applicability of the FTC Red Flag Rules, enforceable as of November 1, 2008, and providing suggestions on how hospitals and health care providers can meet the requirements, including the adoption of written identity theft prevention programs.  The report is available on the World Privacy Forum's Medical Identity Theft page.  September 2016 Update: The Medical Identity Theft page is now at:  https://www.worldprivacyforum.org/category/med-id-theft/  and the report is available at:  https://www.worldprivacyforum.org/2009/09/report-red-flag-rule/    

HIPAA Security Compliance Review Example Posted by HHS

On August 7, 2008 the U.S. Department of Health and Human Services (HHS) Center for Medicare and Medicaid Services (CMS) posted a brief summary of an example HIPAA Security Rule compliance review, conducted as the result of a complaint related to a lost laptop computer.  The review summary describes the process used and conclusions reached, and includes highlights of the corrective action plan taken by the facility.  The HHS CMS HIPAA enforcement site (for all issues except those relating to the Privacy Rule, which is enforced by the HHS Office of Civil Rights) is at http://www.cms.hhs.gov/Enforcement/ and the review page is:  http://www.cms.hhs.gov/Enforcement/09_HIPAAComplianceReviewExamples.asp

FTC "Red Flags Rule" Enforceable as of November 1, 2008

On October 31, 2007, the Federal Trade Commission issued Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy, applicable to financial institutions and creditors, effective January 1, 2008.  The rules require covered institutions to adopt programs to combat identity theft related to their accounts, and are enforceable beginning November 1, 2008.  For the FTC's initial announcement, please see  http://www.ftc.gov/opa/2007/10/redflag.shtm
For the text of the rule itself, from the Federal Register, please see  http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
 The FTC's June 2008 Business Alert about Red Flag requirements is available at:  http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.pdf   The National Conference of State Legislatures hosts a listing of state identity theft laws at: http://www.ncsl.org/programs/lis/privacy/idt-statutes.htm

Providence Health & Services Hit With HIPAA Fines and Corrective Action for Privacy and Security Rule Violations

On July 17, 2008, the Department of Health and Human Services (HHS) announced it had reached an agreement with Seattle-based Providence Health & Services to settle HIPAA complaints related to the loss of laptops and backup media with information on over 386,000 patients in 2005 and 2006.  Providence will pay a $100,000 fine and be subject to a "robust" Corrective Action Plan involving the adoption of policies and procedures, training, audits, and reporting on compliance to HHS for three years.  A statement on the agreement is available on the HHS web site at http://www.hhs.gov/ocr/privacy/enforcement/resolution.html

Draft NIST Guidelines for Cell Phones & PDAs, and Firewalls

On July 7, 2008 the National Institute of Standards and Technology (NIST) released draft security guidelines providing an overview of cell phone and personal digital assistant (PDA) devices in use today and insights for making informed information security decisions regarding their treatment.  The four-page executive summary should be read by all users of such devices.  Draft SP 800-124 gives details about the threats, technology risks, and safeguards, and is available at:  http://csrc.nist.gov/publications/drafts/800-124/Draft-SP800-124.pdf

On July 9, 2008, NIST released a draft of Revision 1 of Special Publication 800-41, Guidelines on Firewalls and Firewall Policy.  Draft SP 800-41 Rev. 1 provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls.  While SP 800-41 may be most useful to network specialists, it does provide an excellent technology overview that is quite useful to non-technical types as well. The Rev. 1 draft is available at:  http://csrc.nist.gov/publications/drafts/800-41-Rev1/Draft-SP800-41rev1.pdf

More Than 88% of States Have Security Breach Notice Laws

As of June 20, 2008, at least 44 states, the District of Columbia, and Puerto Rico now have information security breach notification laws in place.  If your business or any of your customers or employees are located in any of these states, you must comply with their breach notification laws.

To see if your state or your customers' or employees' states have breach notification laws, please see the National Conference of State Legislatures' Web site at: http://www.ncsl.org/programs/lis/cip/priv/breach.htm

Verizon Releases Data Breach Investigations Report

In June, 2008, the Verizon Business Risk Team released its 2008 Data Breach Investigations Report, which studies more than 500 cases over four years and comes to several worrying conclusions, such as that two-thirds of incidents involved data the victim did not even know was on the system, three-quarters of breaches were not discovered by the victim, and 87% were avoidable through reasonable controls.  In addition, more than 40% of breaches involved business partners of the victim, a five-fold increase since 2004.  The report is exceptionally well-founded and includes recommendations on simple steps to be taken to prevent breaches.

To download a copy of the report, please visit: 

House Considers Tightening HIPAA Privacy and Security

A May 22, 2008 draft bill (HR 6357, the Protecting Records, Optimizing Treatment, and Easing Communication through Health Care Technology Act, or PROTECT Act) circulating in the U.S. House of Representatives would offer grants for the adoption of electronic medical records, would directly cover healthcare business associates under HIPAA, would require notification of patients in the event of a security breach, and would require accounting of all disclosures of electronic health information for treatment, payment, and operations, among other provisions.  The draft language is available at: http://energycommerce.house.gov/HealthIT_2008/hitec_003_xml.pdf

July 1, 2008 update: The bill passed the Health Subcommittee of the House Energy and Commerce Committee by voice vote June 25, 2008, and awaits consideration by the House Science and Technology and Ways and Means Committees.  Negotiations on the Senate version (S 1693) are continuing.

July 22, 2008 update: Story in Healthcare IT News: The Committee on Energy and Commerce announced it will mark up the PRO(TECH)T Act of 2008 Wednesday (7/23) in an effort to move healthcare IT legislation through Congress before the close of the year. See the complete article at: http://www.healthcareitnews.com/story.cms?id=9621&page=1

July 23, 2008 update: Approved as amended in Energy and Commerce committee by voice vote.  Includes new consent requirements for the use of information in healthcare operations.  Next up are Science and Technology, and Ways and Means Committees.

NIST Announces Draft of Update to HIPAA Security Guide

On May 2, 2008, the National Institute of Standards and Technology announced the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This guide discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule.  The draft is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-66-Rev1

PCI Security Standards Council Updates Standard

On April 22, 2008 The PCI Security Standards Council announced further clarification for PCI DSS requirement 11.3, regarding penetration testing, which includes network and application layer testing, as well as controls and processes around the networks and applications, and Requirement 6.6, which becomes effective on June 30, 2008, regarding application code review and application firewalls, providing two options which are intended to address common threats to cardholder data and ensure that input to web applications from un-trusted environments is fully inspected.  The announcement is available at: https://www.pcisecuritystandards.org/pdfs/04-22-08.pdf and the information supplements detailing the updates are available at: https://www.pcisecuritystandards.org/tech/supporting_documents.htm

NIST Releases Revised Security Incident Handling Guide

On March 7, 2008 the National Institute of Standards and Technology (NIST) released a revision of the Computer Security Incident Handling Guide, NIST SP 800-61 Revision 1.  According to the announcement, the revised guide "seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently.  The publication includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents."  The revised guide is available at:

CMS Says What They'll Ask For At HIPAA Security Reviews

On February 20, 2008, CMS posted on its Web site a two-page list of individuals to be interviewed and information to be requested in the course of the HIPAA Security Compliance Reviews being conducted in 2008.  CMS cautions in their Web page on enforcement that "the document is not a comprehensive list of applicable investigation/review areas nor does it attempt to address all non-compliance scenarios," meaning it's really only a starting point for a general evaluation, and different information may be requested in different cases depending on circumstances.  CMS's page on HIPAA enforcement is at:
The Information Request for Onsite Compliance Reviews is at:
or http://tinyurl.com/2gaswf

PCI Self-Assessment Questionnaire Updated

On February 6, 2008, the PCI Security Standards Council released a new set of self-assessment questionnaires for merchants and service providers processing payment cards.  The new questionnaire, version 1.1, comes in four versions to be used depending on on how payments are processed.  The press release is available at: https://www.pcisecuritystandards.org/pdfs/02-06-08.pdf  The questionnaire is available at: https://www.pcisecuritystandards.org/tech/saq.htm

CMS Announces HIPAA Security Compliance Reviews

At the January 16, 2008 CMS/NIST workshop on HIPAA Security (attended by Jim Sheldon-Dean) CMS officials announced that they plan to review compliance with the HIPAA Security Rule at 10 to 20 hospitals over the next nine months.  With the assistance of contractor PriceWaterhouseCoopers, CMS will review one facility with an eye to refining the review process, and then will apply the process to the remainder of the target institutions, which will typically include hospitals about which CMS has received complaints, and hospitals handling large numbers of records, in this first round of Security Rule enforcement action.  

Foreign Hackers Seeking Health Information

At the same January 16, 2008 CMS/NIST workshop, Homeland Security Analyst Mark Walker said that foreign hackers, primarily from Russia and China, are focusing increasingly on health information.  He said that a virus had been placed on a CMS server in 2007, among several issues, and called for reporting of all health data breaches to authorities.

California Breach Law Now Includes Health Information

As of January 1, 2008, the California Information Security Breach Notification law has been expanded to include electronic medical information and health insurance information.  The original California law was the first such law in the nation, and spawned similar legislation now in effect in more than two-thirds of US states.  It may be expected that other states will follow California's lead once again.

Click for the latest news stories

Click for the Directory of News Stories

              Copyright © 2002-2023 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us