• HITECH business associate deadlines looming

    10Feb
    Author: ben Categories: IT Management, Security Comments: 0

    We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

    • Comply with the HIPAA security and privacy rules
    • Provide medical information breach notifications
    • Work with the Department of Health and Human Services to perform compliance audits as requested
    • Train employees on HIPAA and its requirements for business associates

    BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

    Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

    First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

    If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

    If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

    And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , , ,

  • Encrypted Storage in the Cloud

    21Apr
    Author: ned Categories: Infrastructure, Security Comments: 2

    854998249_6686eb8991_m The smart folks over at Amazon Web Services just published a new white paper titled Creating HIPAA-Compliant Medical Data Applications. I’m a strong believer that it is possible to deploy Internet applications as securely “in the cloud” as in a private data center somewhere, and vendor documentation like this goes a long way toward helping others grasp this reality.

    One weakness is that the white paper barely mentions encrypting data at rest.  Here’s their accurate but incredibly concise statement:

    HIPAA’s Privacy Rule regulations include standards regarding the encryption of all PHI in
    

    transmission (“in-flight”) and in storage (“at-rest”). The same data encryption mechanisms
    

    used in a traditional computing environment, such as a local server or a managed hosting
    

    server, can also be used in a virtual computing environment, such as Amazon EC2 and
    

    Amazon S3.

    Their blog post mentions some software libraries and commercial tools for achieving encryption at rest, but generally leaves any implementation for you to figure out. There are encryption recommendations for software developers and end users, but not for system administrators (aren’t we their key demographic?). Never fear – encrypting your data at risk is easy with Linux! There are many ways to achieve encryption of data when it is stored on disk, but whole-volume encryption is often appealing because it can be implemented completely transparently to the application.

    One of the best tools for securing your data “at-rest” while it is stored on Amazon’s Elastic Block Store (EBS) is dm-crypt. It’s already built into most modern Linux kernels, and gives you extra confidence that noone else could read your EBS volumes. Anyone who’s thinking of deploying any app that stores sensitive information (in “the cloud” or in your data center) should consider implementing dm-crypt on their Linux servers. Below are instructions for creating and using an EBS volume which is protected by dm-crypt encryption…

    Read more »

    Tags: , , ,

  • New HIPAA modifications under the ARRA

    12Mar
    Author: ben Categories: IT Management, Security Comments: 0

    If you haven’t been paying attention, now is a good time to start. The recently passed American Recovery and Reinvestment Act of 2009 adds stunning, strict new provisions to the already-stringent federal health care legislation, HIPAA. In particular, the changes include:

    • Serious ramifications for business associates, or organizations that have signed agreements with health care organizations to handle patient data. Business Associates are now directly subject to the HIPAA Privacy and Security rule, and must implement all the safeguards employed by fully covered entities. The agreements themselves must be revised, a significant effort for most medium to large sized health care organizations.
    • New data breach notification requirements. Any protected health information (PHI) that has been compromised (accessed or disclosed, essentially) and is not encrypted must be disclosed to the affected individual and the Department of Health and Human Services. Breaches affecting 500 or more individuals must also be reported to the media.
    • Increased enforcement and auditing abilities. The DHHS will now be required to perform a formal investigation if a HIPAA complaint is received. Penalties for violations are also increased.
    • Accounting for treatment, payment, and health care operations for patients that request it. This might seem innocuous on the surface, but most large health care institutions face significant challenges with understanding full footprint of a patient’s health record. The change will create significant administrative burdens, new technical projects, and serious revisions to policies and procedures within and outside of IT.

    These changes seem to have taken the compliance industry by surprise. Few blogs, even those focused on HIPAA, have any analysis. At the time of this writing, Wikipedia neglects to mention the HITECH Act section of the stimulus package that includes the sweeping changes (only a vague $19 billion reference to “health information technology”). This article covers the changes in some detail. In depth analysis here.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: ,

Subscribe:

Popular Posts