HHS OIG Slams HHS OCR for HIPAA Audit Program Deficiencies
The US Department of Health and Human Services Office of Inspector General (OIG) issued in late November 2013 highly critical of the work done by the HHS Office for Civil Rights (OCR) in implementation of requirements for audits of HIPAA Security Rule compliance to be performed under the HITECH Act, enacted in February of 2009. In addition, OIG found that OCR's own system implementations used in the management of their audit process were not performed securely.
The OIG report, titled The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule, calls for better controls on the HITECH auditing process and systems used by HHS, and implementation of periodic Security Rule audits. See: http://oig.hhs.gov/oas/reports/region4/41105025.pdf
The impact of the report is that it may be now expected that efforts to audit HIPAA Security Rule compliance will be increased, putting additional pressure on HIPAA entities to do the work necessary for HIPAA Security Rule compliance now.
PCI Security Standards Council Releases DSS v3.0, eff. 1/1/14
On November 7, 2013, the PCI Security Standards Council released version 3.0 of the PCI Data Security Standard, to which all payment card merchants and data handlers are held, effective January 1, 2014, with a compliance deadline of July 1, 2015. The new version emphasizes maintaing awareness of threats and education to help ensure secure use of systems. PCI documentation is available at: https://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&association=pcidss For an overview of PCI DSS compliance, see: https://www.pcisecuritystandards.org/security_standards/index.php The press release from PCI, including many details of the changes, is available at: https://www.pcisecuritystandards.org/pdfs/13_11_06_DSS_PCI_DSS_Version_3_0_Press_Release.pdf
HHS OCR Holds Accounting of Disclosures Hearing
On September 24, 2013, the US Department of Health and Human Services Office of Civil Rights announced that the HIT Policy Committee's Privacy and Security Tiger Team will be holding a virtual, public hearing to explore practical ways to provide patients with greater transparency about the uses and disclosures of their electronic PHI, to facilitate implementation of the HITECH requirement that a patient’s right under the HIPAA Privacy Rule to an "accounting" of disclosures include disclosures for "treatment, payment and operations" when such disclosures are made through "an electronic health record." This hearing will be held on Monday, September 30 from 11:45 a.m. to 5:00 p.m. EDT. To listen to this meeting, see: http://www.healthit.gov/facas/calendar/2013/09/30/policy-privacy-security-tiger-team-virtual-hearing
The Tiger Team invites members of the public to provide written answers to key discussions questions through the ONC blog at: http://www.healthit.gov/buzz-blog/. The Tiger Team will consider these answers as it continues to deliberate and make recommendations on these issues. In addition, the hearing will include time for public comments from 4:45 to 5:00 p.m. EDT.
HHS Issues Guidance on Decedents, Student Immunizations, Law Enforcement
On September 19, 2013, a busy day at the HHS Office for Civil Rights, OCR issued guidance on decedents and student immunizations, as well as the guidance and delay announcement below, and, the next day, released a guide to HIPAA for Law Enforcement. The guidances, and other essential HIPAA news from HHS are at: http://www.hhs.gov/ocr/privacy/
HHS Refill Reminders Guidance and Enforcement Delay
On September 19, 2013, the HHS Office for Civil Rights (OCR) issued guidance on how the changes to the HIPAA Privacy Rule’s marketing provisions apply to refill reminders and other communications about drugs or biologics currently being prescribed for individuals. The new Fact Sheet and corresponding FAQs explain how the refill reminder exception to the marketing rule works, the scope of communications that fall within the exception, and the types of third party payments that are considered “reasonable”.
In addition, OCR will not enforce the restrictions on refill reminders for a period of 45 days following the September 23, 2013, compliance date, or until November 7, 2013.
HHS Delays HIPAA NPP Enforcement for CLIA Laboratories
On September 19, 2013, the US Department of Health and Human Services Office of Civil Rights announced that it would delay enforcement of the required update of the HIPAA Notice of Privacy Practices for HIPAA-covered laboratories that are subject to CLIA or otherwise not required to provide access to individuals under HIPAA, not including any laboratories that are part of a larger entity and do not have their own separate NPP. The delay is being allowed because such notices will need to be updated when the CLIA regulations are updated, which is expected soon, and it would be a burden to have to update twice over a short period of time. The delay was announced just four days before the new rules became enforceable. The announcement is available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/clia-labs.html
HHS OCR and ONC Release HIPAA Privacy Notice Templates
On September 16, 2013, the US Department of Health and Human Services Office of Civil Rights and the Office of the National Coordinator for Health IT published a set of templates in four formats, for both providers and health plans, and instructions for use, for HIPAA Notices of Privacy Practices, that include the required changes pursuant to the HIPAA Omnibus Update of 2013. The templates are available at: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
In related news, the AMA released in September 2013 updated tools for HIPAA Privacy and Security Compliance, including new sample Notice of Privacy Practices and Business Associate Agreement templates, as well as toolkits and FAQs. See: http://www.ama-assn.org/go/hipaa
PHI on Old Copier Yields $1.2 million Settlement with Affinity
On August 14, 2013, the US Department of Health and Human Services announced that it will settle with Affinity Health Plan, Inc. potential violations of HIPAA for $1,215,780, as a result of a breach involving the information of more than 340,000 individuals that was left on a leased copier purchased by CBS Evening News as part of an investigation into private information held on old copiers. The CBS Evening News story that identified the breach is available at http://www.youtube.com/watch?v=iC38D5am7go
Part of the settlement includes a corrective action plan that requires Affinity to try to retrieve all the old copiers it has ever returned under leases so that PHI may be properly destroyed. The agreement and CAP are available on the HHS OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html
Also included in the news release was additional information on copier compliance:
• For more information on safeguarding sensitive data stored in the hard drives of digital copiers: http://business.ftc.gov/documents/bus43-copier-data-security.
• The National Institute of Standards and Technology has issued guidance on media sanitation: http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf.
• OCR offers free training on compliance with the HIPAA Privacy and Security Rules for continuing medical education credit at http://www.medscape.org/sites/advances/patients-rights.
Australian Defence Signals Directorate Releases Security Guides
In July 2013, the Australian Defence Signals Directorate released information security advice that is useful for healthcare security professionals to consider as they discover and plan for mitigation of information security risks. One of the guides, Top 4 Strategies to Mitigate Targeted Cyber Intrusions, available at http://www.dsd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm provides ways to eliminate 85% of all threats. Another of the guides focuses on Assessing Security Vulnerabilities and Patches, and is available at http://www.dsd.gov.au/publications/csocprotect/assessing_security_vulnerabilities_and_patches.htm. A third guide, released in April of 2013, discusses Additional Security Considerations and Controls for Virtual Private Networks; see http://www.dsd.gov.au/publications/csocprotect/addtional_security_considerations_and_controls_for_vpn.htm. These guides are written for the use of all levels of the Australian government but are compact, easy to understand, and provide a great foundation for security. All of the guides are available on the Web pages listed above, and as downloadable .pdf files on those pages.
WellPoint Gets $1.7 million Settlement for Insecure Database
On July 11, 2013, the US Department of Health and Human Services announced that the managed care company WellPoint, Inc. has agreed to a $1.7 million settlement to resolve HIPAA Privacy and Security Rule potential violations regarding weaknesses in an online application database. WellPoint did not have good access control policies and procedures in place, did not do a technical evaluation of a software upgrade, and did not have technical safeguards to verify the identity of those accessing the database. 612,402 individuals were affected by the breach, which took place in 2010.
Potential violations like this are easily prevented if a good information security management process is instituted. The Press Release can be found on the HHS News page: http://www.hhs.gov/news/press/2013pres/07/20130711b.html and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html.
NIST Releases Revised Guidelines for Mobile Device Security
On June 24, 2013, the National Institute of Standards and Technology announced the final release of Special Publication (SP) 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise. The purpose of the guide is to help organizations centrally manage and secure mobile devices against a variety of threats, providing recommendations for selecting, implementing, and using centralized management technologies, and explaining the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices. The guidelines are available at http://csrc.nist.gov/publications/PubsSPs.html#800-124
Shasta Regional Medical Center Settles HIPAA Case for $275K
In a June 14, 2013 announcement, the US Department of Health and Human Services let it be known that there is no such thing as an implied authorization for release of PHI. Officials at Shasta Regional Medical Center discussed a patient's PHI with staff and the press following a disclosure to the press by the patient. Even when the patient has released the same information, an authorization must be given for the covered entity to release the information.
The settlement includes $275,000 and a Corrective Action Plan covering all facilities of the organization. The Press Release can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement-press-release.html and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf
New Unofficial HIPAA Combined Rule Issued by HHS OCR
On June 13, 2013, the US Department of Health and Human Services Office for Civil Rights released an updated Combined Regulation Text of All Rules pertaining to HIPAA, including the Omnibus Update and the June 7 Technical Corrections. This combined rule document is now the go-to source for HIPAA regulations. (It is referred to as an unofficial document because the only official rule is what is published in the Federal Register.) The new combined rule is at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html
Technical Corrections Issued for Omnibus Update Regulations
On June 7, 2013, technical corrections to the HIPAA Omnibus update were issued by the US Department of Health and Human Services Office for Civil Rights. The corrections, mostly minor typos and such, do clarify several internal references and should be used together with the Omnibus update rule and the prior unofficial 2006 combined rule published by HHS OCR to define the current HIPAA rules.
The technical corrections are available in PDF Federal Register format at http://www.gpo.gov/fdsys/pkg/FR-2013-06-07/pdf/2013-13472.pdf , the Omnibus update is at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf and the 2006 unofficial (non-Federal Register) combined rule is at http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf . It is hoped that HHS OCR will release a new unofficial combined rule including all the HITECH modifications and technical corrections sooner than later.
Idaho State University Settles HIPAA Security Case for $400K
At the close of the first day of the annual NIST-OCR HIPAA Security conference in Washington, DC, just in time for OCR Director Leon Rodriguez to discuss in his day-two keynote address, HHS released information about a new $400,000 settlement for HIPAA Security Rule violations, this time related to a breach of records of 17,500 patients at ISU's Pocatello Family Medicine Clinic, caused by some server firewalls' being disabled for most of a year, and lack of a real Risk Analysis and system activity reviews that could have prevented or limited the breach, among other violations. The press release is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement-press-release.html.html and the Resolution Agreement is available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.pdf
New HHS HIPAA Educational Tools for Consumers, Providers
On April 30, 2013, the US Department of Health and Human Services Office for Civil Rights announced new tools to educate consumers and providers about the HIPAA Privacy and Security Rules. See http://www.hhs.gov/ocr/privacy
OCR has posted a series of fact sheets for consumers, available in eight languages, about cpmsumer rights under the HIPAA Privacy Rule,on OCR’s website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers
The fact sheets compliment a set of seven videos released earlier this year on OCR’s YouTube channel. A video on The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel at http://www.youtube.com/user/USGovHHSOCR
OCR has also launched three modules for health care providers that offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals, on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:
• Patient Privacy: A Guide for Providers
• HIPAA and You: Building a Culture of Compliance
• Examining Compliance with the HIPAA Privacy Rule
Reports on Breaches Show Weaknesses, Identity Theft
In addition to the Verizon report noted in the story below, additional reports have been released looking at data breaches and healthcare information. In a new study, Ponemon Institute surveyed a sample of privacy and compliance leaders in various organizations about their expectations of having a breach, their breach prevention practices, and their data breach response plan, and found that among healthcare organizations, 94% had had a breach in the last two years, 39% had no breach response plan, and only 19% were equipped to determine the size or causes of breaches. The report is available at: http://www.experian.com/data-breach/readiness-survey.html
Separately, analysis by Javelin Strategy and Research on the results of the massive Utah PHI breach in 2012 that affected 780,000 people found that 25% of all affected individuals had suffered identity theft, and that costs of the incident, caused by a simple but entirely preventable human error, approach a total of over $400 million. The analysis is available at: https://www.javelinstrategy.com/blog/2013/04/28/financial-pain-ensues-when-custodians-of-health-fail-to-be-good-stewards-of-privacy/
2013 Verizon Data Breach Investigations Report Released
On April 23, 2013, the Verizon 2013 Data Breach Investigations Report was released, describing the security threat landscape and characteristics of breaches over the last year. The report includes information about 621 confirmed data breaches as well as more than 47,000 reported security incidents that were investigated by Verizon and 18 of its global partners, including law enforcement.
Probably the most damning statistic is that the vast majority of breaches are discovered by someone other than the entity having the breach. As always, if you are serious about security, you need to review this annual report.
The report is at: http://www.verizonenterprise.com/DBIR/2013/ and a related story in GovInfoSecurity.com is at: http://www.govinfosecurity.com/interviews/verizon-report-ddos-broad-threat-i-1892
NIST/OCR HIPAA Security Conference Announced: May 21-22
The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are co-hosting the 6th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on May 21 & 22, 2013 at the Ronald Reagan Building and International Trade Center in Washington, D.C., exploring the current health information technology security landscape and the HIPAA Security Rule, and highlighting the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.
Presentations will cover a variety of topics including the Omnibus HIPAA/HITECH Final Rule, identity management, strengthening cybersecurity in the health care sector, integrating security safeguards into health IT, managing insider threats, securing mobile devices, and more. Participants can choose to participate on-site, or through a live web cast. Lunch and refreshments are included in the on-site registration fee and all registrations include access to archived webcast presentations and materials.
Visit the conference web page for more information and registration: http://www.nist.gov/itl/csd/2013-hipaa-conference.cfm
HHS to Survey Entities Receiving a 2012 HIPAA Audit; New Audit Effort to Begin in FY 2014, beginning October 1, 2013
On March 19, 2013, the US Department of Health and Human Services announced it will be surveying those entities subjected to the random audit program in 2012, to help design the revised HIPAA random audit program, now slated to restart in the next Federal Fiscal Year, which begins October 1, 2013, barely a week after the new HIPAA rules go into effect.
The announcement is available at https://www.federalregister.gov/articles/2013/03/19/2013-06281/agency-information-collection-activities-proposed-collection-public-comment-request
A story on the announcement in Health Data Management is available at http://www.healthdatamanagement.com/news/hipaa-privacy-security-breach-notification-enforcement-45853-1.html and in iHealthBeat at http://www.ihealthbeat.org/articles/2013/3/19/ocr-seeks-input-on-survey-of-hipaa-audit-program-participants.aspx
HHS OCR Hiring Staff for HIPAA Enforcement Activity
On February 27, 2013, the US Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) Office of the Deputy Director Health Information Privacy (ODDHIP) announced several job positions, since closed March 12, seeking experience in privacy and security compliance and enforcement as well as in the areas of policy, outreach, and health information technology systems. The OCR Division of Health Information Privacy enforces the HIPAA Privacy and Security Rules and the confidentiality provisions of the Patient Safety and Quality Improvement Act.
It is unknown what impact the Sequester will have on these positions, but the indication is clear that HIPAA enforcement activity will be on the increase.
H-P Print Server Software Vulnerable to Attack by Hackers
A story published January 23, 2013 on the Information Week Web site indicates that any printers using H-P JetDirect print server software may be hacked to allow access to copies of documents previously printed, among other vulnerabilities. The software is used by many printer manufacturers, not only H-P.
Users of printers that use JetDirect should ensure they have applied all patches issued and work with vendor support to find ways to delete copies of printed documents until new patches are developed by H-P. The article is at: http://www.informationweek.com/security/vulnerabilities/security-flaws-leave-networked-printers/240146805
HIPAA Business Associate Agreement Language Updated
On January 25, 2013, the US Department of Health and Human Services updated on its Web site the sample language for Business Associate Agreements meeting the requirements of the new final HIPAA rule, published the same day. While the language should always be finalized by your own attorney, the sample language does show the required elements any agreement should contain. The sample language is available at the same address as the old sample language: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
HIPAA Final Omnibus Rule Finally Released, Major Changes
On January 17, 2013, the US Department of Health and Human Services released the new final HIPAA rule for all the HITECH Act changes (and more, with the exception of the proposed Accounting of Disclosures changes). The rule will be published January 25, 2013 in the Federal Register, go into effect 60 days later and are enforceable by September 23, 2013.
Significant changes from the proposed and interim final rules include allowing Business Associate Agreements using the old language before the publication date of the rule (not the effective date, as proposed) to be able to have 18 months to update the agreement to the new rules.
Also significant is the elimination of the "Harm Standard" in the Breach Notification Rule, replaced with a risk assessment to determine if there is a "low probability of compromise" of the data.
The changes from the current and proposed rules are significant and will be discussed in further detail over the coming weeks. The Rulemaking announced January 17, 2013 may be viewed as a PDF and in the Federal Register at https://www.federalregister.gov/articles/2013/01/25/2013-01073/hipaa-privacy-security-enforcement-and-breach-notification-rules. The HHS Press Release is at: http://www.hhs.gov/news/press/2013pres/01/20130117b.html.
HIPAA Settlement for Laptop Breach at Idaho Hospice Agency
The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the HIPAA Security Rule. An unencrypted laptop computer containing the electronic protected health information of 441 patients had been stolen, and OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI and did not have in place policies or procedures to address mobile device security.
From the press release: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Here's the link to the HHS OCR news release on the settlement, with links to the agreement, and to guidance on how to protect mobile data: http://www.hhs.gov/news/press/2013pres/01/20130102a.html
HHS ONC Introduces New Site for Mobile Device Security
On December 12, 2012, the US Department of Health and Human Services Office of the National Coordinator for Health IT made available a new web site dedicated to Mobile Devices and Health InformationPrivacy and Security. The site is intended to help hospitals and physicians better understand how and why to protect sensitive health data stored on mobile devices. The site includes explanatory videos, fact sheets and downloadable posters. See: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
HHS OCR Releases Guidance on De-Identification of PHI
On November 26, 2013 the US Department of Health and Human Services Office for Civil Rights published Guidance Regarding Methods for De-identification of PHI in Accordance with HIPAA via a web page that includes general statements of guidance as well as frequently asked questions that help illustrate the guidance. There is actually a lot of useful information on the page and it would be of great use to anyone wrestling with issues of de-identification and PHI under HIPAA. See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
Verizon Data Breach Investigations Report 2012 Snapshots
In March, 2012, the Verizon RISK Team released the 2012 Data Breach Investigations Report, detailing trends in information security based on numerous incidents investigated in 2011. In general, the external threats are growing, in particular for "soft" targets like hospitality and healthcare. The Verizon page with links to the 2012 report (available as a PDF or as a free iBook) and reports from 2009-2011 is at: http://www.verizonbusiness.com/about/events/2012dbir/
There is also a Healthcare Industry-specific snapshot of the report available at: http://www.verizonbusiness.com/resources/reports/rp_dbir-industry-snapshot-healthcare_en_xg.pdf Make sure you take care of their basic recommendations to avoid security issues!
Verizon Announces HIPAA-compliant Cloud Services and BAA
On October 1, 2012, Verizon Enterprise Solutions unveiled a comprehensive cloud and data center infrastructure portfolio specifically designed meet HIPAA requirements for safeguarding electronic protected health information. Where appropriate, Verizon is prepared to sign a HIPAA Business Associate Agreement, unlike many other cloud service providers. The press release is available at http://www.verizonbusiness.com/about/news/pr-25994-en-Verizon+Introduces+Cloud+Portfolio+to+Help+Health+Care+Industry+Meet+HIPAA+Security+Requirements.xml and an article in Computerworld magazine on Verizon's announcement is available at http://www.computerworld.com/s/article/9231911/Verizon_launches_HIPAA_compliant_eHealth_cloud_service
NIST September ITL Bulletin Focuses on Incident Handling
On September 28, 2012, the NIST Computer Security Resource Center announced the availability of the September ITL Bulletin, focusing on the topic of the month: Revised Guide Helps Organizations Handle Security Related Incidents. The bulletin discusses the recently updated NIST SP 800-61 Computer Security Incident Handling Guide. The September, 2012 bulletin is available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf and SP 800-61 is available at http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
To view other NIST ITL (Information Technology Laboratory) Security Bulletins, see: http://csrc.nist.gov/publications/PubsITLSB.html
NIST Releases Updated Risk Assessment Guide SP 800-30 rev 1
On September 18, 2012, the National Institute of Standards and Technology released Revision 1 of Special Publication SP 800-30, Guide for Conducting Risk Assessments, which is the foundation of risk analysis procedures under HIPAA. The new guide is much larger, contains a great deal of background information, and is much harder for the average compliance officer to approach. It is thick with theory and explanations that only serve to obfuscate the meaning and goals. The process described is much more complicated than the one in the original version, and is not necessarily appropriate for many health care organizations.
So warned, the new version is available at: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf, and the old version (recommended) is still available at: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
ONC Releases Privacy & Security Training Game for Practices
The Office of the National Coordinator for Health Information Technology has released Cybersecure: Your Medical Practice, which is a game developed to teach good basic privacy and security principles for health care offices, by requiring users to respond to privacy and security challenges. Users choosing the right response earn points and see their virtual medical practices flourish, and vise versa. The game is available at no cost at: http://www.healthit.gov/providers-professionals/privacy-security-training-games and additional resources from ONC are available at http://www.healthit.gov/providers-professionals/ehr-privacy-security
MEEI Gets $1.5 million Settlement for Laptop Security Issues
On September 17, 2012, the US Department of Health and Human Services Office For Civil Rights announced a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) concerning insecure laptops and a lack of risk analysis, mitigation of risk, and policies and procedures. The HHS information page on the settlement, with links to the resolution agreement and more, is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html
HIPAA Audit Protocol Quietly Revised, Has New Web Address
At some point during September, 2012, without announcement, the US Department of Health and Human Services Office For Civil Rights updated the recently released HIPAA Audit Protocol with some modifications, a few more questions, and some improvements in usability. The updated protocol is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html and the prior version is still at the old URL. The OCR page on the HIPAA Audit Program is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
Revised NIST Computer Security Incident Handling Guide
During August, 2012, the National Institute of Standards and Technology published Revision 2 of the Computer Security Incident Handling Guide, an updated version of the very useful NIST Special Publication 800-61. NIST SP 800-61 Revision 2 includes major chapters on Organizing a Computer Security Incident Response Capability, Handling an Incident, and Coordination and Information Sharing, as well as appendices that include such information as Incident Handling Scenarios. Strongly recommended, available at: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
HIPAA Privacy, Security and Breach Audit Protocol Released
On June 26, 2012, The US Department of Health and Human Services Office for Civil Rights released the audit protocol for the current round of random HIPAA Privacy, Security, and Breach Notification compliance audits, to be completed by the end of 2012. In all, 115 random compliance audits for HIPAA covered entities are planned for 2012. See how your organization would do -- the audit protocol is available at http://ocrnotifications.hhs.gov/hipaa.html
The protocol has 165 questions, most with several sub-questions, and multiple references of comparisons to "established performance criteria" and "specified criteria" that are NOT defined in the protocol, limiting its usefulness, and there are some issues with some of the questions, but it is a great way to see just what kind of documentation you might be asked to produce in an audit. There is plenty of call for explanations and justifications under the addressable specifications, so it's clear that full documentation of your compliance decisions is necessary.
Unfortunately, there is no obvious way to simply download the entire table with all the cell contents showing so you can create your own tool or table and use their questions in a more accessible way, but the online access is of real value.
Alaska Medicaid Hit With $1.7 million Settlement for Security
On June 26, 2012, The US Department of Health and Human Services Office for Civil Rights announced it had reached a settlement of $1.7 million with the Alaska Department of Health and Social Services, the state Medicaid agency, for possible violations of the HIPAA Security Rule. A USB drive with PHI was stolen; investigation found inadequate policies and procedures, no risk analysis, incomplete security training, lack of device and media controls, not addressing encryption, and overall insufficient risk management measures.
The press release makes it clear that state agencies are not exempt from HIPAA. In addition to the penalty, the settlement calls for a corrective action plan and monitoring of compliance. There are no sacred cows in HIPAA compliance any more, not even up in Alaska. See the HHS OCR page on the settlement agreement at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html
California Releases HIPAA Security Toolkit for Small Providers
On June 7, 2012, the California Health and Human Services Agency’s (CHHS), Office of Health Information Integrity (CalOHII) announced the release of its HIPAA Security Rule Toolkit. It is an online toolkit that helps entities better understand the requirements of the HIPAA Security Rule, and assist organizations in implementing HIPAA requirements. The online toolkit can be accessed via the CalOHII website: http://ohii.ca.gov/calohi/ The the toolkit is available at: https://www.ohii.ca.gov/securitytool/compliance/login.aspx and the user guide is at: https://www.ohii.ca.gov/securitytool/downloads/CalOHII_HSR_User_Guide.pdf
NIST/OCR HIPAA Security Conference Presentations Released
On June 7, 2012, NIST released the presentation slides given at the 2012 NIST/OCR HIPAA Security Conference in Washington, DC, now available for download at http://csrc.nist.gov/news_events/hiipaa_june2012/presentations.html. The topics cover a great deal of useful information including one particularly useful study by the Office of the National Coordinator detailing the security features of various smart phones, laptops, and tablets. See the link for the ONC Mobile Device Project in the June 6 topic list. And the entire webcast of the presentations is available for viewing at: http://www.nist.gov/itl/csd/hipaa-security-conference-2012-webcast.cfm
HHS OCR Releases HIPAA Enforcement Training Materials for State Attorneys General
On June 4, 2012 the US Department of Health and Human Services Office for Civil Rights announced the availability of training materials in HIPAA Enforcement for State Attorneys General to help them use their new authority to enforce the HIPAA Privacy and Security Rules. The materials include videos and slides from in-person training sessions for State AGs conducted in 2011, as well as computer-based training modules that can be downloaded and saved to your own computer. Although developed for State AGs, the training materials provide a great deal of information about the content and enforcement of the HIPAA Rules that may be of interest to a broader audience. For more information, see: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/sagmoreinfo.html
NIST Releases Cloud Computing Synopsis & Recommendations
On May 29, 2012, NIST released the final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations which is a is NIST’s general guide to cloud computing. It explains cloud systems in plain language, provides recommendations for information technology decision makers, and presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing. The guide is available at: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf
Apple Releases its First Guide to iOS Security for Users and System Administrators
In May 2012 Apple released a new guide: iOS Security providing details about how security technology and features are implemented within the iOS platform. It also outlines key elements that organizations should understand when evaluating or deploying iOS devices on their networks. The move is unprecedented for Apple; up until now Apple has not provided definitive documentation for users and system administrators on using iOS security features and capabilities. See: http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf
Symantec Releases Internet Security Threat Report - 2011 Trends
Symantec released in April 2012 its Internet Security Threat Report: 2011 Trends spotlighting how the threat landscape is changing and what businesses and individuals should do to protect themselves. Troubling for Healthcare is the news that Healthcare reports more breaches by far than any other sector, 43% of the total, although it is ranked third, at 8%, for the number of identities exposed. This is an easy-to-use report that includes a lot of useful information, and is available at: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf
ONC Issues Guide to Protecting Privacy & Security of PHI
On May 8, 2012, The Office of the National Coordinator for Health IT released a 47-page 10-step plan for protecting the privacy and security of health data, developed in conjunction with the American Health Information Management Association. Any entity that wishes to attest to the meaningful use of their EHR so that they can receive Federal funding would be well advised to take note – if you're audited for meaningful use compliance, you will want to be sure you've covered these bases. The list of steps itself echoes many of the same themes we've been espousing for years, but makes it clear that if you want to attest to meaningful use, you need to take privacy and security seriously. The guide is available at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Questions Used in Current HIPAA Privacy and Security Audits
The Malvern Group's Sue Miller has published a briefing with a list of information requests submitted to the covered entity in one of the first round of random HIPAA Privacy and Security Rule compliance audits. The two-page list contains no real surprises – make sure you have policies and procedures and can show you've been using them – but it does provide the first publicly available list of questions specifically related to Privacy compliance as well as Security compliance questions. Sample security questions have been available for five years. For a copy of Sue Miller's briefing including the two-page questionnaire, please see: http://malverngroup.com/uploads/OCR_Audit_Document_Request_Brief_20120424_v_2.pdf
HHS Hits Phoenix Cardiac Surgery Group with $100K Penalty
On April 17, 2012 the US Department of Health and Human Services announced it has reached a settlement with Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, which has agreed to pay $100,000 and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).
This penalty hits the nail on the head: You can't ignore the HIPAA Security Rule any longer. Go read the press release (with links to the settlement agreement) at http://www.hhs.gov/news/press/2012pres/04/20120417a.html and take note -- Every item they touch on I've been harping on for years now: Policies and Procedures, Training, Risk Analysis, and Business Associate Agreements; all ignored over a period of years. Sounds like a great poster child for how NOT to do HIPAA security compliance! Note the quote from Leon Rodriguez, director of OCR in the release: "We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity."
NIST/OCR HIPAA Security Conference for 2012 Announced
On April 2, 2012, The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced they are co-hosting the 5th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on June 6 & 7, 2012 at the Ronald Reagan Building and International Trade Center in Washington, D.C. The fee is just $395, a bargain for a two-day event featuring just about everyone you need to hear from or talk with about HIPAA Security. In fact, Jim Sheldon-Dean will be speaking on a panel discussing HIPAA Security Rule Toolkit Use Case studies during the conference the morning of June 7.
This event will highlight the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule. The conference will offer important keynote addresses and plenary sessions as well as breakout sessions following two learning tracks around specific areas of security management and technical assurance. For information and registration, please see: http://www.nist.gov/itl/csd/hipaasec.cfm
New HIPAA Rules Submitted to OMB; Released by End of June?
On March 24, 2012, the Office of Management and Budget received the final new HIPAA rule changes, including final rules for all of the proposed and interim final rules put forth as a result of the HITECH Act, except for the rules pertaining to Accounting of Disclosures, but also including changes pursuant to the Genetic Information Nondiscrimination Act. The final rule will be out within 90 days, which puts it at the end of June.
Expectations are that changes from the proposed and interim final rules will be minimal, with the possible exception of modifications to the "harm standard" within the Breach Notification Rule. The OMB Regulatory Dashboard for pending regulations is at http://www.reginfo.gov/public/jsp/EO/eoDashboard.jsp (scroll down to the section for HHS) and the status of the process for this rule is available at http://www.reginfo.gov/public/do/eoDetails?rrid=121784
Breaches Lead to Bankruptcy, $1.5 million Settlement; ANSI Report Shows Financial Impacts of Breaches of PHI
A March 12, 2012 entry in the WSJ Blog Bankruptcy Beat reports that a national firm that reviews medical records has filed for bankruptcy as a result of a break-in last New Year's Eve in their California office. The cost of dealing with the breach was more than the company was worth so the company filed for Chapter 7 bankruptcy. See: http://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm’s-collapse/
March 13, 2012 saw several stories on the first reported settlement of violations discovered under the HIPAA Breach Notification rule, by Blue Cross and Blue Shield of Tennessee, for $1.5 million. The breach involved the theft of 57 hard drives loaded with voice and video recordings of customer service conversations that involved personal information. (BCBST now encrypts data-at-rest but it should probably have been disposed of before.) For the article in Modern Healthcare, please see: http://www.modernhealthcare.com/article/20120313/NEWS/303139960/ The settlement agreement between BCBST and HHS can be obtained at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf
In addition, a new report has just been released by the American National Standards Institute (ANSI): The Financial Impact of Breached Protected Health Information -- A Business Case for Enhanced PHI Security, available at no charge with registration. It includes information on how to calculate the potential costs of breaches, but you don't have to look far beyond the examples above to see the potential costs. See: http://webstore.ansi.org/phi/
NIST Releases Guidelines on Wireless Networks and Draft Update to SP 800-53 Recommended Security Controls
On February 21, 2012 the National Institute of Standards and Technology (NIST) released Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANS), a tidy little document providing valuable guidance on security configuration and monitoring of wireless networks. The announcement is available at: http://csrc.nist.gov/news_events/index.html#feb21 and SP 800-153 is available at: http://csrc.nist.gov/publications/nistpubs/800-153/sp800-153.pdf
On February 28, 2012, NIST released its February ITL Bulletin, also focusing on guidelines for the secure use of wireless networks, available at: http://csrc.nist.gov/publications/nistbul/february-2012_itl-bulletin.pdf . Previous ITL Security Bulletins are available on the CSRC website at: http://csrc.nist.gov/publications/PubsITLSB.html
Also on February 28, 2012, NIST released the initial public draft of SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations which includes changes such as:
• New security controls and control enhancements;
• Clarification of security control requirements and specification language;
• New tailoring guidance including the introduction of overlays;
• Additional supplemental guidance for security controls and enhancements;
• New privacy controls and implementation guidance;
• Updated security control baselines;
• New summary tables for security controls to facilitate ease-of-use; and
• Revised minimum assurance requirements and designated assurance controls.
SP 800-53 is the go-to guide for protecting information, and this new version is updated to reflect the changing security landscape. The announcement is available at: http://csrc.nist.gov/news_events/index.html#feb28 and the draft is available at: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
CMS Proposes Meaningful Use Stage 2 Regs: Increased Security
On February 23, 2012 the Centers for Medicare and Medicaid Services (CMS) released the proposed Stage 2 Regulations on Meaningful Use of EHRs, and the new rules call for increased attention to the security of data at rest, specifically on portable devices that contribute to so many of the breaches reported to HHS. They also call for the use of secure messaging with patients.
The CMS fact sheet is at http://tinyurl.com/6rvrjex, the proposed regulation is at http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf, and I have posted an extract of the proposed rule covering the security issues here.
California Releases Updated Breach Handling Recommendations
On January 3, 2012, the California Office of Privacy Protection released a new version of their Recommended Practices on Notice of Security Breach Involving Personal Information, updated to reflect the latest changes in California law, as well as the latest thinking on security and breach prevention. This guide includes some excellent recommendations for anyone in any state to reduce the chances of a breach, as well as the specifics relevant to California. Available at: http://www.privacy.ca.gov/business/recom_breach_prac.pdf