Search/Product # Look up
RELATED NEWS
INFORMATIONAL VIDEOS
View More Videos
NEWS TOPICS
Don't disregard patients' contextual concerns
Read Full Article »
Read Full Article »
Proposed Update in Guidelines for Alzheimer's Criteria
Read Full Article »
Read Full Article »
OSOMŽ Influenza A&B Test Promotion
Read Full Article »
Read Full Article »
HIMSS - Meaningful Use: Safety and Quality of Care Webinar
Read Full Article »
Read Full Article »
New Online Toolkit For Physicians
Read Full Article »
Read Full Article »
Diagnostics
HIPPA and the HITECH Act
| Author: Michael D. Paquin, FHIMSS |
| Article Date: 10/25/2010 |
Challenges and Forces Driving Adoption
Of Health Information Technology and
Electronic Healthcare Records
Michael D. Paquin, FHIMSS
In this segment on Electronic Healthcare records, being sponsored by Physicians Office Resource, we will look at: HIPPA and the HITECH Act
The Health Information Technology for Economic and Clinical Health Act, or HITECH Act, went into full force February 2010. This article will focus on its provisions for “breach notification” enforcement. It is important to know what is being enforced and how to protect patient data.
HITECT explicitly defines a security breach as “the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information”. If the PHI is not secured then a notification must be made. Electronic PHI is considered secure if the data has been encrypted per the National Institute of Standards and Technology (NIST) regulation. Paper and film must be shredded or destroyed prior disposal. Spoken PHI is considered unsecure.
Following a breach of unsecured PHI, the following must be notified by the Covered Entity (CE) as follows
|
Impacted Individuals |
Written notice must be provided to all individuals, without unreasonable delay and in no case later than 60 days after discovery, |
|
Public Media |
> 500 impacted individuals in a state or jurisdiction, notice must be provided through prominent media outlets. |
|
Health and Human Services (HHS) |
>500 impacted individuals, HHS identifies CE on its website <500 impacted individuals, CE logs the breach and provides an annual log to HHS within 60 days of the end of the calendar year |
To be able to claim that any lost/stolen electronic PHI is secured, the CE must prove that the breach poses no significant risk of financial, reputational or other harm to the individual. Failure to notify carries steep penalties from tens to hundreds of thousands of dollars.
The NIST regulation does specifically define how electronic PHI must be secured. Unfortunately it is a complex document, so here are the salient points.
1) Any data encryption solution must be certified to the federal FIPS 140-2 standard.
2) All electronic files on the media that contain PHI must be encrypted (note: this includes back-ups).
3) A record is needed after the fact indicating that the encryption was deployed and functional prior to the breach’
4) The password used in the encryption cannot be easily guessed or identified – i.e. not written on the underside of the laptop.
Any solution used to protect electronic PHI must be able to do the following
1) Be listed on the certified products on the FIPS 140-2 Validated Products list.
2) Encryption of all files.
The recommended method is Full Disk Encryption FDE of the hard drive and USB flash drives. Don’t forget, deletion typically does not remove the PHI.
3) Produce a report from a central audit server showing the device was encrypted before it was lost or stolen.
Meeting HITECH is now a necessity. If there is no operational encryption solution in place today then one must be deployed. Even if there is, it must be reviewed to ensure that it meets the new demands of HITECH