Archive for Unsecure PHI
Breaking news: OIG reports cite weakness in OCR and ONC efforts to protect ePHI
by Andrea Kraynak, CPC, senior managing editor, HCPro, Inc.
The HHS Office of the Inspector General (OIG) released two reports today questioning the efforts of the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) in helping to ensure the protection of electronic protected health information (ePHI).
The report on the audit of ONC’s security efforts, “Audit of Information Technology Security Included in Health Information Technology Standards,” notes that ONC has application IT security controls in the interoperability specification but no HIT standards for general information IT security controls (e.g., policies and procedures for an organization’s overall computer operations or to create a secure environment for application systems and controls).
“We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed,” according to the report.
OIG recommends that the ONC take a number of steps in addition to developing standards for general IT security controls, including offering guidance on HIT security standards and best practices to the industry, emphasizing the importance of HIT and working with the OCR and CMS to develop security controls.
Meanwhile, the report detailing the OCR’s and CMS’ efforts, “Nationwide Rollup Review of the CMS HIPAA Oversight,” focuses on seven hospital audits. OIG identified 151 vulnerabilities concerning ePHI, the vast majority of which it categorized as “high impact”. Issues included wireless access vulnerabilities, ineffective encryption, and lack of monitoring. The report stated the following:
These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.
The report found CMS’ prior enforcement actions to be insufficient and notes that while the OCR has a process for conducting compliance reviews in situations unrelated to complaints, it has not done so.
Our transcriptionist accidentally faxed a patient letter to the wrong number. The information included patient name, date of birth, family physican name.
This letter only included that the patient had a normal eye exam. Is this a reportable violation of the HITECH policy?
Thank you for your time,
S. Russell
The Office for Civil Rights (OCR) in all likelihood will publish a draft or interim final rule outlining the new requirements for composing and updating business associate (BA) contracts in February, the same month BAs must comply with HIPAA’s security rule, one HIPAA expert tells HIPAA Update.
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, and also a board member of the Workgroup for Electronic Data Interchange (WEDI), spoke with an HHS official at WEDI’s 2009 Fall Conference in Baltimore earlier this month.
Apgar says HHS, which oversees OCR, is in the “process of trying to put out a fair number of rules, from what does a BA contract need to contain to the ‘meaningful use’ definition [on EHRs] as well as look at plans to help the healthcare industry prepare for ICD-10 conversion, and the implementation of the HIPAA 5010 transaction and code sets.”
Covered entities must update their contracts with BAs by February 17, 2010, the statutory compliance date in the American Recovery and Reinvestment Act (ARRA).
The government also hopes to synchronize Medicare and Medicaid rules for reimbursement incentives for “meaningful users” of EHRs. The draft rule on the definition of meaningful use is due by December 31, 2009.
The WEDI conference included a focus on the Health Information Technology for Economic and Clinical Health Act (HITECH), which is a part of ARRA, funding, and breach notification.
While OCR may publish rules on BA contracts in February, Apgar says covered entities should not wait until then to update their BA contracts.
“That’s the thing that needs to be emphasized—you can’t wait until the rules are final,” Apgar says. “If you’re waiting, my advice is don’t because the statutory deadline is February 17, 2010.”
As for enforcement, Congress promised in ARRA “periodic audits” to ensure HIPAA compliance. Government officials told HIPAA Update in September they weren’t sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010.
“If you’ve got a headline [because of a major breach], they’re likely going to come and investigate you,” Apgar says. “But they’re wavering on how they will conduct compliance audits. Not because they’re not going to do it, but because they don’t know when yet. The House version of the healthcare reform bill calls for more strict enforcement than ARRA, so they want to wait to see what comes out in healthcare reform.”
Apgar adds the government can fine up to $50,000 for one HIPAA violation and a maximum of $1.5 million for the same type of violation per calendar year—regardless of the severity of the breach.
It seems as if everyone is talking about encryption these days, and that is certainly the case on our HIPAA Update blog.
HHS added encryption layers in its interim final rule on breach notification to specify the technologies and methods that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” Some of these layers were not specified in draft guidance
HHS released in April.
“You now need to really consider encryption,” says Jeff Drummond, HIPAA blogger and health law partner in the Dallas office of Jackson Walker, LLP. “That’s sort of your first opportunity to avoid breach notification. You can’t do much about your paper records other than destroying them, which eliminates their utility. But for electronic data, you can keep it and use it, but should encrypt so it is considered ‘secured’ under HIPAA.”
In the interim final rule, the definitions for acceptable encryption include:
- Electronic PHI encrypted as specified in the HIPAA security rule. This includes “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
- Valid encryption processes for PHI in databases consistent with National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
- Valid encryption processes for PHI flowing through a network, including wireless, that comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; 800-113, Guide to SSL VPNs; and others validated by Federal Information Processing Standards 140-2.
Covered entities and business associates can protect themselves against the dangers of unsecured social networking Web sites and communication practices by taking a hard stance against them, experts advise.
You can protect your organization by investing in communication devices such as BlackBerry® smartphones and banning sites such as Facebook and Twitter from hospital computers, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.
Education is essential, and it must be specific—it’s no good if it’s vague, he says.
Use these four models together to educate employees and protect your facility:
- New employee training (i.e., orientation)
- Annual refresher training
- Security reminders (e.g., weekly helpful e-mails, information in the hospital newsletter, messages that flash on staff member computer monitors)
- Communication policy: During annual staff member performance reviews, require staff members to acknowledge in writing that they have read and understood the policy
Teach clinical staff members to adopt the habit of texting messages that express urgency without including PHI. For example, write “Call me” or “I have an important message and I’m going to leave you a voicemail.” Then, if you lose information, you’re not losing anything that’s personally identifiable.
Editor’s note: This is an excerpt from an article in the November edition of the HCPro, Inc. newsletter, Briefings on HIPAA.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here