Encryption is 'Get Out of Jail Free' CardEarning an exemption from breach notification requirement When it comes to reporting data security breaches, healthcare organizations have the equivalent of a "get out of jail free" card, says consultant Tom Walsh.
Hospitals, physician group practices, health plans and others that appropriately encrypt electronic health records and other personal healthcare information will not have to report breaches because the data is presumed to be secure and unreadable, Walsh notes. He's president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues.
Title XIII of American Recovery and Reinvestment Act, also known as the HITECH Act, includes tougher privacy and security standards for healthcare organizations and their business associates than those included in the original rules under the Health Insurance Portability and Accountability Act.
The HITECH Act spells out when healthcare organizations or their business associates must report a data security breach. But the Act specifies encrypted information is exempt from the data breach reporting requirement, Walsh stresses.
Data encryption, however, must meet the NIST Federal Information Processing 140-2 Standard, Walsh notes. And, unfortunately, many healthcare software companies that sell clinical applications do not yet routinely offer encryption of their databases, he contends. Some vendors argue that their databases' "proprietary formats" render them secure, the consultant adds. But information stored in those proprietary formats are considered unsecure under the HITECH Act, he notes.
Adopting encryption is a small price to pay to help ensure security, especially relative to the cost of reporting a security breach, the consultant stresses. For example, a hospital would have to send out a first-class letter to any patients who might have been affected by a breach. And if 10 of those letters are returned for a bad address, the hospital must then post notification of the breach on its home page and offer a toll-free breach information number for 90 days. "And none of that is cheap," Walsh says.
The final interim rule on data security breach notification, issued April 17, 2009, allows health care organizations to determine whether a particular data security breach presents "significant risk" and thus needs to be reported. As a result, healthcare organizations must "create a well-defined risk analysis process" to help them determine what breaches to report," Walsh says. "Now is the time to get that done."
The U.S. Department of Health and Human Services' Office of Civil Rights will begin enforcing the data breach reporting rule on Feb. 22, 2010. Plus, HHS will be conducting audits of healthcare organizations to make sure they're keeping data secure.
As a result of funding provided under the HITECH Act, HHS is hiring more auditors to check on healthcare organization's security policies, Walsh notes.
Auditors will check on such details as whether the organization has a risk analysis process, he adds. But they'll go even further. "In the security audits conducted so far, auditors have asked for things like the latest results of a network vulnerability scan or a network penetration test," Walsh says. "There's nothing in HIPAA that requires these, but the auditors have an expectation that covered entities, like hospitals, can present evidence that they are doing these scans and tests."
Data security tips
Walsh offers healthcare organizations other data security tips, including:
- Make sure the chief security officer focuses on "helping the organization make informed business decisions. Most don't do a very good job of communicating to management what the security risks are."
- When buying new healthcare applications "make sure there are certain security criteria built into the system before you purchase it, rather than spending a lot of money on the backend securing it. It costs a lot more money to add security later."
- In working with business associates to make sure they're preparing to comply with the data breach reporting rule, make sure contracts are rewritten or amended to specify when breaches have to be reported, who gets the reports and how the reports are reported (avoid e-mail).
Walsh will be one of the speakers at an all-day "ARRA Privacy and Security Workshop" Feb. 28 before the Healthcare Information and Management Systems Society Convention in Atlanta.