Protected Health Information (PHI) Particularly At Risk for Theft

Unsecured protected health information is defined as: “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act]”  [45 CFR 164.402, at 78 Federal Register 5695, January. 25, 2013] That Guidance, included in the Breach Notification Interim Final Rule published in the Federal Register on August 24, 2009 [74 Federal Register 42740-42770], specifies “the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” including appropriate encryption for securing PHI at rest and PHI in motion, and appropriate ways to destroy PHI in electronic or hard copy format, whenever necessary.  The Guidance is readily available online at the Office for Civil Rights (OCR) at: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.

CMS Releases Final Data Privacy and Security Rules for Purchasers of Health Insurance on ACA Insurance Exchanges

On May 14, 2014, the Secretary of Health and Human Services (HHS) approved, and the Centers for Medicare & Medicaid Services (CMS) released standards pertaining to the privacy and security of personally identifiable information in a Final Rule entitled:  Patient Protection and Affordable Care Act; Exchange and Insurance Market Standards for 2015 and Beyond.  This document will be published in the Federal Register on Tuesday,  May 27, 2014, but is available for public inspection now at:  https://www.federalregister.gov/public-inspection/search?conditions%5Bterm%5D=RIN+0938-AS02.  The effective date is July 28, 2014, except for amendments to 45 CFR 155.705 [Functions of a Small Business Health Options Program (SHOP)]that are effective on the date of publication in the Federal Register.

 

WSJ Article Addresses Password Usage in “Despite Data Thefts, the Password Endures” with Implications for HIPAA Compliance

The May 22, 2014, Wall Street Journal discusses the enduring computer “password” in the article referenced in the title, which is available online at:  http://online.wsj.com/news/articles/SB10001424052702303851804579557821243874870?mg=reno64-wsj.  The article states:  “[d]espite data breaches and warnings from security experts, people cling to easy-to-remember passwords and often use the same ones for many accounts.”

 

AHIMA Survey Indicates Healthcare Industry Lags on Implementing ‘Information Governance Policies and Procedures’

On May 20, 2014, iHealthBeat, a service of the California HealthCare Foundation, published preliminary results from a survey conducted by the American Health Information Management Association (AHIMA) in an article entitled:  “Survey:  Health Care Sector Lags in Information Governance Programs.”  The article is available online at:  http://www.ihealthbeat.org/articles/2014/5/20/survey-health-care-sector-lags-in-information-governance-programs, and the text of the article is reproduced here:

 

CFO Magazine Highlights Cost of Safeguards in Article on McKinsey Research: The Rising Strategic Risks of Cyber Attacks

Earlier this month, we commended your attention to the referenced McKinsey Research, which CFO Magazine has picked up in its online May 16, 2014, weekly briefing at http://ww2.cfo.com.  I revisit the McKinsey Research in this article because it has an important statement regarding the costs of security measures as stated in the Flexibility of Approach general requirements for complying with the HIPAA Security Rule at 45 CFR 164.306(b):

 

OCR Imposes $4.8 million in Financial Penalties on Two Healthcare Organizations to Resolve HIPAA Noncompliance Issues

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced on Wednesday, May 7, 2014, resolution and settlement of HIPAA noncompliance issues resulting from an investigation of a joint breach report, dated September 27, 2010, submitted by New York and Presbyterian Hospital and Columbia University Medical Center, concerning an impermissible disclosure of electronic protected health information (ePHI).  The HHS/OCR news release regarding these resolutions is available at www.hhs.gov/news/press/2014pres/05/20140507b.html.

 

 

How to Manage Passwords: A Cautionary Tale

HIPAA Safeguard commends to the attention of Security Officials of covered entities and business associates and to individual workforce members of those organizations the May 6, 2014, Wall Street Journal article entitled:  “The Best Way to Manage All Your Passwords:  Rating Secure Password Managers Dashlane, LastPass, 1Password, PasswordBox,” which is online at:  http://online.wsj.com/news/articles/SB10001424052702303647204579545801399272852?mod=WSJ_article_EditorsPicks.   Under the HIPAA Security Rule, the Security Official is responsible for implementing policies and procedures—based on findings from a risk analysis—for managing passwords under the Administrative Safeguard Security Awareness and Training standard:

McKinsey Quarterly Article Discusses The Rising Strategic Risks of Cyberattacks

HIPAA Select calls your attention to this important May 2014 article by Tucker Bailey, Andrea Del Miglio, and Wolf Richter entitled:  “The rising strategic risks of cyberattacks:  Research by McKinsey and the World Economic Forum points to a widening range of technology vulnerabilities and potentially huge losses in value tied to innovation.”  The article is available online at: 

ONC Provides Security Risk Assessment Tool: (3)—Technical Safeguards

The Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) has created a Security Risk Assessment Tool in three parts—Administrative Safeguards, Physical Safeguards, and Technical Safeguards, totaling 436 pages.  Technical Safeguards is the third of three postings on these safeguard tools, is 140 pages in length, and can be downloaded at:  http://www.healthit.gov/providers-professionals/security-risk-assessment-tool by clicking on:  Technical Safeguards [DOCX 240 KB] just above the disclaimer at the bottom of the page.

ONC Provides Security Risk Assessment Tool: (2)—Physical Safeguards

The Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) has created a Security Risk Assessment Tool in three parts—Administrative Safeguards, Physical Safeguards, and Technical Safeguards, totaling 436 pages.  Physical Safeguards is the second of three postings on these safeguard tools, is 104 pages in length, and can be downloaded at:  http://www.healthit.gov/providers-professionals/security-risk-assessment-tool by clicking on:  Physical Safeguards [DOCX 225 KB] just above the disclaimer at the bottom of the page.

 

Categories



Archives

  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)