As HIMSS’ Privacy and Security content staff person, I get lots of e-mails from HIMSS members and non-members alike. I’ve worked at HIMSS for four years and was previously a security consultant working exclusively in healthcare in multiple roles for about 10 years. Not since the beginning of the HIPAA era have I seen so many questions about privacy and security.
Today, I will attempt to provide a quick and useful FAQ for those of you with those privacy and security questions. Along with that, I give you my pledge that I will do my best to help by continuing to answer your questions in this forum. So, respond to this blog posting and I’ll get your questions answered.
Here we go – with the Top 5 Security Questions, based on Lisa Gallagher’s unscientific, but informed ranking. I’ve included 3 questions today and will conclude tomorrow with the final 2 of my Privacy and Security FAQs.
1. What new privacy and security laws were contained in ARRA?
ARRA/HITECH - On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act (ARRA) of 2009, H.R. 1. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) section of the ARRA bill contains a section on Privacy that covers the provisions listed in the table below. The table also captures the current status of rulemaking for these provisions.
| HITECH Privacy/Security Statutory Provisions | Summary:This Provision… | Status |
| New HIPAA Business Associates | ensures that new entities that were not contemplated when HIPAA was written (such as PHR vendors, RHIOs, HIEs, etc.) are subject to the same privacy and security rules as providers and health insurers, by requiring Business Associate contracts and treating these entities as Business Associates under HIPAA. specifies that Business Associates will be directly covered by the HIPAA Security and Enforcement Rules and by some HIPAA provisions of the HIPAA Privacy Rule. | This statutory provision requires changes to one or more of the following HIPAA rules:
The associated proposed changes can be found in the following Notice of Proposed Rulemaking (NPRM) published by HHS on July 14, 2010: Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act |
| Sale/Marketing of Protected Health Information (PHI) | provides new restrictions on marketing using PHI and on the circumstances under which an entity can receive remuneration for PHI. | <SAME AS ABOVE> |
| Access | provides an individual the right to have access to certain information about them in electronic format. | <SAME AS ABOVE> |
| Limited Data Set/Minimum Necessary | requires CEs to limit the use and disclosure of PHI to a limited data set, or, if needed, to the “Minimum Necessary” to accomplish the purpose of the use or disclosure. | <SAME AS ABOVE> |
| Enforcement/Penalties | contains several provisions that are aimed at increasing civil and criminal consequences for violating HIPAA as well as providing for increased enforcement activities. | <SAME AS ABOVE> |
| Breach Notification | establishes a federal security breach notification requirement for breaches of health information that has not been made indecipherable. It requires that an individual be notified if there is an unauthorized access, disclosure or use of their health information. | HITECH requires separate rulemaking to implement this provision.HHS has published the following Interim Final Rule this provision. This IFR remains in effect until a Final Rule is published.
Breach Notification for Unsecured Protected Health Information; Interim Final Rule |
| Accounting of Disclosures | gives patients the right to request an accounting of disclosures of their health information made through an electronic health record. | HITECH requires separate rulemaking to implement this provision.HHS has not yet published any documents relating to this provision. |
2. What is the “HIPAA NPRM?”
The recently released Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act is a draft document that reflects the proposed changes to the HIPAA Privacy, Security and Enforcement Rules that are required due to statutory provision in the HITECH Act. This document is available for public comment until September 14, 2010. (see table above)
3. Once and for all, is encryption required by HIPAA?
No. The final HIPAA Security Rule made the use of encryption an “addressable” implementation specification. See 45 CFR §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii).
- In HIPAA, an addressable specification must only be implemented – if the entity has determined through its security risk assessment that the specification is a reasonable and appropriate safeguard in its environment.
- If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.
- Or, if the standard can otherwise be met, the Covered Entity (CE) may choose to not implement the implementation specification or any equivalent alternative measure.
With the advent of the HITECH Act, the new Breach Notification provision requires HIPAA CEs to notify affected individuals, and requires Business Associates (BAs)to notify CEs following the discovery of a breach of unsecured protected health information (PHI).
The HITECH Act defines “unsecured protected health information” to mean PHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS in guidance.
HHS issued a guidance document on this topic in April 2010. It can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf
Essentially, this means that a Covered Entity or Business Associate may be relieved of the requirement to notify regarding a breach if they have secured the data using one of the methods specified in the guidance document, one of which could be encryption (subject to associated requirements).
Taking all of this information together, encryption is not strictly required.
Check my post tomorrow for my final 2 questions on privacy and security.
Cari McLean
Joyce Lofstrom, MS, APR
Adam Bazer
Carla M Smith, MA, CNM, FHIMSS
Christel Anderson
Dave Roberts
Thomas S. Keefe, MA, FHIMSS
JoAnn W. Klinedinst, CPHIMS, PMP, FHIMSS
Joyce Sensmeier, MS, RN-BC, CPHIMS, FHIMSS, FAAN
Elinore Boeke
Mary Griskewicz MS, FHIMSS
H. Stephen Lieber, CAE
Lisa A. Gallagher, BSEE, CISM, CPHIMS
John Casillas
Juliet A. Santos, MSN, CCRN, FNP-BC
Tom Leary, MALA, FHIMSS
Karen Malone
Nancy Vitucci
Lauren Brown
David Collins, MHA, CPHQ, CPHIMS, FHIMSS
mattschlossberg
Mary Beth Micucci
John. H. Daniels, FHIMSS, FACHE
John P Hoyt FHIMSS FACHE
Jennifer Horowitz
Richard M. Hodge, MBA, MPA
kawagner
Liz Anderson
Ed Larsen
Arnol Simmons
Helen Figge, RPh, PharmD, MBA
Amanda Griffith
James (Jim) St. Clair, CISM, PMP, SSGB
Shelley Price, MS, FHIMSS
jfrenchhimss
Michelle Glenn
Zahid Butt MD, FACG
Amy Thorpe, FHIMSS
Michael A. Gaspar
ftvelasco
gumprx
Edna Boone, MA, CPHIMS Senior Director mHIMSS
The way I understand section 164.312 A 2 iv(technical), encryption -at-rest of PHI is addressable and therefore is advisable in certain risk scenarios.
If you do encrypt, it’s one of the only ways you can exempt your organization from breech notification rules which can be cumbersome if you’re found guilty of breech (intentional or otherwise).
Also, section 164.312 e 1(technical) suggests you should encrypt -in-motion which is always a good idea and will help exempt you from breech notification if PHI leaks from one of your transmissions (email, web uploads, etc).
Thanks for your comment, Todd. This reinforces, and perhaps even more clearly states, what we said above!
Lisa,
As usual you have done an excellent job of cutting to the meat. However I think you have left the current Questions not fully closed.
I think that Todd helped you out with the encryption of data-at-rest. This is indeed addressable, and encryption does relieve the CE of reporting requirements. But there is also the ‘other’ method that is not spoken about… thus leading to the same miss-conception that encryption is de-facto mandatory.
The other little help to your readers… is that #2 is indeed the thing you kept referencing in item #1 column 3… Ok, many of your readers know this, but I am guessing they didn’t need your FAQ. So actually #2 is really the completion of item #1… Right?
John
Hi John -
Thanks for jumping in!
On the first point, I think we agree that there is a frequent misconception that encryption is required under current law. I urge readers to read the HHS guidance document that I reference.
On your second point, yes, the HIPAA NPRM is the document that I referenced in the table in question 1. Oftentimes, this is the simple question I receive – “what is the HIPAA NPRM?” Since it ranked very high on my list of questions received, I included it.
Stay tuned – my final two questions tomorrow! Be sure to weigh in.
And, if any of you have additional questions you’d like answered, please post here!