Unsecured protected health information is defined as: “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act]” [45 CFR 164.402, at 78 Federal Register 5695, January. 25, 2013] That Guidance, included in the Breach Notification Interim Final Rule published in the Federal Register on August 24, 2009 [74 Federal Register 42740-42770], specifies “the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” including appropriate encryption for securing PHI at rest and PHI in motion, and appropriate ways to destroy PHI in electronic or hard copy format, whenever necessary. The Guidance is readily available online at the Office for Civil Rights (OCR) at: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.
On May 14, 2014, the Secretary of Health and Human Services (HHS) approved, and the Centers for Medicare & Medicaid Services (CMS) released standards pertaining to the privacy and security of personally identifiable information in a Final Rule entitled: Patient Protection and Affordable Care Act; Exchange and Insurance Market Standards for 2015 and Beyond. This document will be published in the Federal Register on Tuesday, May 27, 2014, but is available for public inspection now at: https://www.federalregister.gov/public-inspection/search?conditions%5Bterm%5D=RIN+0938-AS02. The effective date is July 28, 2014, except for amendments to 45 CFR 155.705 [Functions of a Small Business Health Options Program (SHOP)]that are effective on the date of publication in the Federal Register.
The May 22, 2014, Wall Street Journal discusses the enduring computer “password” in the article referenced in the title, which is available online at: http://online.wsj.com/news/articles/SB10001424052702303851804579557821243874870?mg=reno64-wsj. The article states: “[d]espite data breaches and warnings from security experts, people cling to easy-to-remember passwords and often use the same ones for many accounts.”
On May 20, 2014, iHealthBeat, a service of the California HealthCare Foundation, published preliminary results from a survey conducted by the American Health Information Management Association (AHIMA) in an article entitled: “Survey: Health Care Sector Lags in Information Governance Programs.” The article is available online at: http://www.ihealthbeat.org/articles/2014/5/20/survey-health-care-sector-lags-in-information-governance-programs, and the text of the article is reproduced here:
Earlier this month, we commended your attention to the referenced McKinsey Research, which CFO Magazine has picked up in its online May 16, 2014, weekly briefing at http://ww2.cfo.com. I revisit the McKinsey Research in this article because it has an important statement regarding the costs of security measures as stated in the Flexibility of Approach general requirements for complying with the HIPAA Security Rule at 45 CFR 164.306(b):
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced on Wednesday, May 7, 2014, resolution and settlement of HIPAA noncompliance issues resulting from an investigation of a joint breach report, dated September 27, 2010, submitted by New York and Presbyterian Hospital and Columbia University Medical Center, concerning an impermissible disclosure of electronic protected health information (ePHI). The HHS/OCR news release regarding these resolutions is available at www.hhs.gov/news/press/2014pres/05/20140507b.html.
HIPAA Safeguard commends to the attention of Security Officials of covered entities and business associates and to individual workforce members of those organizations the May 6, 2014, Wall Street Journal article entitled: “The Best Way to Manage All Your Passwords: Rating Secure Password Managers Dashlane, LastPass, 1Password, PasswordBox,” which is online at: http://online.wsj.com/news/articles/SB10001424052702303647204579545801399272852?mod=WSJ_article_EditorsPicks. Under the HIPAA Security Rule, the Security Official is responsible for implementing policies and procedures—based on findings from a risk analysis—for managing passwords under the Administrative Safeguard Security Awareness and Training standard:
HIPAA Select calls your attention to this important May 2014 article by Tucker Bailey, Andrea Del Miglio, and Wolf Richter entitled: “The rising strategic risks of cyberattacks: Research by McKinsey and the World Economic Forum points to a widening range of technology vulnerabilities and potentially huge losses in value tied to innovation.” The article is available online at:
The Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) has created a Security Risk Assessment Tool in three parts—Administrative Safeguards, Physical Safeguards, and Technical Safeguards, totaling 436 pages. Technical Safeguards is the third of three postings on these safeguard tools, is 140 pages in length, and can be downloaded at: http://www.healthit.gov/providers-professionals/security-risk-assessment-tool by clicking on: Technical Safeguards [DOCX 240 KB] just above the disclaimer at the bottom of the page.
The Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) has created a Security Risk Assessment Tool in three parts—Administrative Safeguards, Physical Safeguards, and Technical Safeguards, totaling 436 pages. Physical Safeguards is the second of three postings on these safeguard tools, is 104 pages in length, and can be downloaded at: http://www.healthit.gov/providers-professionals/security-risk-assessment-tool by clicking on: Physical Safeguards [DOCX 225 KB] just above the disclaimer at the bottom of the page.