The OCR, which enforces the HIPAA Privacy and Security Rules, opened its investigation of RAC after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.
If the past week is any indication and I’m afraid it is, health care companies are doing an abysmal job at protecting personal health care data.This evening the Colorado Department of Health Care Policy and Financing announced that state officials discovered an unauthorized removal of a computer hard drive from the state’s Office of Information Technology Department: The information did NOT include addresses, dates of birth, social security numbers or any other financial information that could be used for identity theft. It included name, state ID number and the name of the client’s program. Approximately 111,000 clients, or one-fifth of those receiving public health insurance, will receive notification by first-class mail, as required by HIPAA.
This week Visa Inc. said it’s going to reduce unnecessary storage of sensitive card information in merchant payment systems. Specifically, Visa is clarifying that existing operating regulations ensure acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.
“By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs,” said Visa’s Eduardo Perez, head of global payment system security, in a statement.
Connecticut Attorney General Richard Blumenthal has announced that his office has reached a settlement with health insurance company Health Net over a failure to secure patient information on almost a half-million state enrollees, and subsequent failure to promptly notify consumers about the breach. The settlement involves Health Net of the Northeast Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.
# The organization must understand which frameworks or framework elements are needed to address, at a minimum, the critical security concerns. When addressing control requirements, more is not necessarily better, and each additional control entity represents an investment in time, money, and effort.
# Choose a base framework to use. An organization should identify a base framework to contain the additional controls. This framework should be as broad as is viable, allowing for only minimal, more specific needs to be addressed.
# Break the identified framework elements down according to functional areas and combine controls into like families or tiers. Different frameworks often contain equivalent controls under different headings or focus areas. By understanding where the controls map to one another, existing controls can often simply be enhanced rather than having to add completely different compliance needs.
# Identify critical controls that address the most restrictive requirements. In many situations, there will be control objectives that must be accomplished, intermingled with additional categories that are simply “good-to-have”. The action items that are required for compliance needs should be categorized as more critical.
# Define control “numbering system” and nomenclature. For ease of evaluation and tracking, the combined framework elements should be indexed in a way that allows them to be viewed as parts of a whole. In addition, a formalized control language should be used to address concepts across the new framework, avoiding confusion as compliance efforts begin.
# Identify affected data. Just as it was necessary in the first step to identify which controls and frameworks were needed, it becomes necessary to reverse the process, ensuring that all elements of data that are subject to the collected controls. The majority of this information was known at the start of the exercise, but a second glance after consolidating the requirements often identifies additional data sources, repositories, and systems.
# Understand data flows. As critical as it is to understand the affected data elements, it is just as important to understand where those data elements reside and why. How the information is collected, processed, stored, and transmitted is essential to determining in-scope systems, applications, and processes that must adhere to the new framework.
# Formally define scope of data controlled by the frameworks. After identifying the data flow patterns and practices, a consolidated list of servers, systems, applications, processes, and governance items must be created and then reviewed against expected values.
# Reduce data scope aggressively. Each data control element is an investment in time, money, and effort. The same can be said for each element of the in-scope data that is addressed by the combined framework. Existing business processes and needs should be used to determine if data is being used or retained in inappropriate or unneeded areas. Where possible, data should be consolidated and purged, reducing the overall scope of control coverage, especially critical control requirements such as those brought on by legal or regulatory provisions. (Editor’s note: see Ben Rothke and David Mundhenk’s guidance on reducing PCI scope.)
# Classify affected data according to impact. Some controls will be identified as more critical, and the data elements associated with these will likewise be viewed as more sensitive. These classes of information assets should be classified and labeled to ensure that adequate attention is applied.
# Define data lifecycle elements based upon classification levels and requirements identified by various standards and practices. Once the combined framework controls are in place; the data is identified, scoped, and minimized; and classification levels have been established, a comprehensive data lifecycle program should be implemented. Through this process, end users can manage data elements, complying with the chosen control framework requirements without having to conduct extensive research into sometimes arcane control sets.
# Review existing infrastructure, policy, and procedure against the consolidated framework and data lifecycle requirements. Governance and operational resources must be reviewed against the newly developed framework and associated lifecycle elements. Where needed, changes should be made to support the new controls system.
# Implement consistent solutions across all data elements located within the tier. The supporting processes that enable the controls effectiveness should be viewed from the perspective of consistent, modular growth. Networks, systems, and management tools should be designed to scale or be replaced easily. Consolidated security programs (such as incident response, vulnerability management, and change management) and scheduled requirements (audits, penetration testing, vulnerability assessments, risk assessments, and reports) should be updated to address all required controls across the entire framework, resulting in a consistent, singular approach to compliance and readiness.
It’s not a new law, but it’s a tangible, short-term step toward protecting the privacy of patient data that travels online. To address loopholes in current patient privacy legislation, the Health and Human Services Department on Thursday proposed privacy rules that would apply to vendors of technology that transmit personal health data.
A key provision of the pending rules would make “downstream” healthcare subcontractors subject to HIPAA’s privacy and security requirements. HIPAA, as bolstered under the HITECH Act, already considers a health information exchange as a “business associate” of organizations covered by the law. Business associates are required to sign contacts that bind them to HIPAA.The proposed rule, however, would confer business associate status to subcontractors working with other business associates. Potentially, the requirement could work its way down a number of tiers as subcontractors to newly coined business associates would also fall under HIPAA’s scope.
via In the News.
The Office of Management and Budget (OMB) has finished its review of proposed rules related to changes to HIPAA privacy and security rules, meaning the rules could hit the streets this week.
The OMB reports that it has concluded its regulatory review of the rules HHS sent in April.
Health Net of the Northeast will pay $250,000 in fines to Connecticut as part of a settlement regarding a lost or stolen hard-drive that contained medical records and personal information of 1.5 million people, including 446,000 in Connecticut.
The Internal Revenue Service risked disclosing taxpayer information when it failed to identify contractors that had access to financial records and to fix known security weaknesses at facilities where files are stored.
According to an audit released on Tuesday by the Treasury Inspector General for Tax Administration, the IRS did not identify all the vendors that store and process taxpayer data, making it impossible to complete annual security reviews. In addition, at facilities where the IRS did conduct reviews, it failed to check if weaknesses it had identified were corrected.