Under ARRA, covered entities and their business associates are now compelled to disclose breaches of protected health information (PHI) to the Secretary of Health and Human Services (HHS). If the breach involves 500 or more individuals the notification must be immediate. If less, a log must be kept of all breaches and submitted annually to HHS. HHS will then post on their website a list of all organizations which had a breach, the nature of the breach and the number of people involved.
The organization must also attempt to make individual notifications to those affected. If the breach involves 500 or more individuals or just TEN individuals for whom there is no current contact information, the notifications must also include broadcasts through mass media in the markets where people are affected.
The one get out of jail free card that was granted is for PHI which is rendered unusable, unreadable or indecipherable. In the past many organizations believed they could anonymize data and it would be safe. Typically though in order to truly anonymize data you have to strip out so much relevant information that the remaining data is no longer useful for any sort of analytical purposes. So…unusable is out.
What about unreadable and indecipherable? Encryption seems to be our only real option at this point. HHS will soon be releasing the final guidance on this topic but I don't expect anything shell shocking. There has been lots of press over the past few years regarding the encryption of data both at rest and in motion. I'm a big proponent of both. Should you lose a laptop and the hard drive is fully encrypted, you're covered. No breach. If someone attacks a database server and your database tables are encrypted you're probably covered there too. However, if your web application which accesses the database is breached, you are up that proverbial creek without a paddle.
At some point in every process or application we need data to be readable. Otherwise why would we need it in the first place? By encrypting data in motion or at rest all we are doing is funneling the attacks to one focal point. Our applications. They must be secured. They are the key weakness in this new equation. We can implement SSL for the socket connections and encrypt a hard drive or database table but if our applications are weak, we're toast.
Application security has grown by leaps and bounds over the past several years. The problem is we continue to see the same mistakes in code. Buffer overflows, unvalidated input, unprotected file access and other flaws continue to get written into our applications. Applications must go through a more rigorous security testing process whether they are written by a team of a thousand over the course of years or a team of two over a case of Red Bull. Oh…and we need to be teaching security at our colleges and universities, but that a topic for another day.
If we have any hope of protecting our data we must secure our applications. While encryption and other security technology will prevent data leakage or thefts in some instances, they can't protect against them through approved applications. We can, and should do more.
Are you a business associate of a covered entity as defined by HIPAA? If so, you need to read the following excerpt from the American Recovery and Reinvestment Act.
PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS
SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES
TO BUSINESS ASSOCIATES OF COVERED ENTITIES;
ANNUAL GUIDANCE ON SECURITY PROVISIONS.
(a) APPLICATION OF SECURITY PROVISIONS.—Sections 164.308,
164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations,
shall apply to a business associate of a covered entity in
the same manner that such sections apply to the covered entity.
The additional requirements of this title that relate to security
and that are made applicable with respect to covered entities shall
also be applicable to such a business associate and shall be incorporated
into the business associate agreement between the business
associate and the covered entity.
(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.—In the
case of a business associate that violates any security provision
specified in subsection (a), sections 1176 and 1177 of the Social
Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business
associate with respect to such violation in the same manner
such sections apply to a covered entity that violates such security
Do I have your attention now?
For the past 6 years only covered entities such as physicians, health plans or healthcare information clearinghouses were required to comply with the infamous HIPAA security and privacy rules. Organizations that may have had access to protected health information (PHI) but were not covered entities (CE) were not required to follow HIPAA standards. Most business associate agreements (BAA) stated only that the BA would protect the information they obtained from or managed on behalf of a CE with due diligence. ARRA has changed the rules of the game. I'm actually surprised it took this long.
If you are a business associate of a covered entity then you need to prepare to take on some additional risk. Now that a BA is legally bound to the same standards, sanctions and fines for deficiencies are a new reality. Hopefully your business model was to comply with HIPAA from the onset knowing this day would come. If so, great. If not, you will be playing catch up for quite some time.
While there will surely be a ramp up period before heavy enforcement begins, you can be sure there are some examples to be made. Don't be one of them. Get your business leadership together and review your risk assessments, control standards and overall security posture. Even having a nightmare story to tell an auditor who shows up unexpectedly will go over a lot better than no story at all. Guaranteed.
I'm not a huge baseball fan who lives for the sport. I played little league and one season in high school. As an adult I've played men's league slow pitch softball for years. Mostly just for the exercise and to hang out with friends. For me personally, the game itself just doesn't elicit the response that football or basketball does. I do however love to see a classic duel between a pitcher's pitcher and a hitter's hitter. The way they stare each other down, size each other up, try to anticipate the pitch or swing. The sequence might go something like this.
Curveball, high and inside. BALL 1.
Swing and a miss at a fastball down the center. STRIKE 1.
Off speed change up down and away. BALL 2.
Foul tip into the stands. STRIKE 2.
Curveball just outside the zone. BALL 3
The home plate umpire yells….FULL COUNT
This is it. Down to 1 pitch, 1 swing. Pressure is on both parties to perform at their peak. Who's gonna flinch?
I feel this is where most organizations are with the federal government in regards to information security. Starring down a Full Count. They've pitched us some curveballs like SOX and some dead on heat like HIPAA. We've sat back and taken a couple of pitches to see what's Uncle Sam's arm is like. We've swung at a few but only gotten a piece of it. Or maybe we've driven it deep but slightly foul. We're staring down a full count with Uncle Sam. If we (Corporate America) don't start taking information security and privacy more seriously and knock one out of the park, Uncle Sam is going to throw a 102 MPH fastball down the pipe and we'll "go down lookin'" as they say. The writing is on the wall. Just look at some changes "hidden" in the 1000+ pages of the American Recovery and Reinvestment Act (ARRA) of 2009.
It has some interesting implications for the health care industry. Previously, the HIPAA privacy and security regulations only applied to covered entities. These were typically health care providers and payers such as hospitals, physicians, health insurance plans and health information clearinghouses. Business associates (BA) who had access to the data via a covered entity simply had to agree to protect the data in a similar fashion but weren't specifically bound by HIPAA. Nor could they be penalized under HIPAA for a data breach.
The ARRA has something called the Health Information Technology for Economic and Clinical Health (HITECH) provisions which will expand data privacy and security as defined under HIPAA. HHS is in the process of rolling out new guidance which is expected to significantly broaden the reach of data security and privacy for the health care industry. This will include forcing business associates of a covered entity to be bound by HIPAA rules and regulations as well as increasing penalties and allowing states enforce some of the penalties. HHS will be releasing their new HITECH regulations sometime this month, so over the next week I'll provide some guidance on what to expect.