Professional Documents
Culture Documents
Recent federal
legislation mandates
greater enforcement of
laws for safeguarding
electronic protected
health information
WHITE PAPER
800-721-9177
805-684-6858
TABLE OF CONTENTS
1 Executive Summary
2 The HIPAA Security Rule
3 High Costs for Failure to Safeguard EPHI
4 Keys to Successfully Safeguarding EPHI
5 Glossary
6 About Redspin, Inc.
Confidentiality: defined as “the property that data or information is not made available
or disclosed to unauthorized persons or processes”
Integrity: defined as “the property that data or information have not been altered or
destroyed in an unauthorized manner”
Availability: defined as “the property that data or information is accessible and useable
upon demand by an authorized person”
Each section The Security Rule states that EPHI that is received, maintained, or transmitted must be protected
against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In
contains standards general the requirements, standards, and implementation specifications of the Security Rule apply
to the following covered entities.
and implementation
Covered Health Providers: Providers of medical or other health services/supplies
specifications that who transmit health information in electronic form in connection with a transaction
all covered entities Health Plans: Individual or group plans that provide or pay the cost of medical care
• Security Standards and General Rules: Includes the general requirements all
covered entities must meet; establishes flexibility of approach; identifies standards and
implementation specifications; outlines decisions a covered entity must make regarding
implementation specifications; and requires maintenance of security measures to continue
reasonable and appropriate protection of EPHI
• Physical Safeguards: Defined in the Security Rule as the “physical measures, policies,
and procedures to protect a covered entity’s EPHI systems and related buildings and
equipment from natural and environmental hazards, and unauthorized intrusion.”
• Technical Safeguards: Defined as the “technology and the policy and procedures for
its use that protect EPHI and control access to it.”
Implement
procedures to
verify that a person
or entity seeking
access to EPHI is
the one claimed.
Consider the case of Providence Health & Services, a Seattle-based not-for-profit health system. In
at least five incidents in 2005 and 2006 unencrypted EPHI of Providence patients was stored on
backup tapes, optical disks, and laptops that were taken offsite from Providence by members of its
workforce. The data were then misplaced or stolen, potentially compromising the health information
of over 375,000 patients. Providence advised patients of the loss of information in accordance
with state notification law, and though there is no evidence that EPHI was wrongfully used, HHS
launched an investigation focusing on Providence’s failure to implement policies and procedures
to safeguard the data. In July 2008 HHS entered into a settlement with Providence that included
Failure to a $100,000 monetary settlement and a multi-point, 3-year Corrective Action Plan focusing on
the development, implementation, training, monitoring, and enforcement of robust policies and
safeguard EPHI procedures for handling EPHI under the HIPAA Security Rule.
can be very costly. New Penalties for Violating the HIPAA Security Rule
As required by the adoption of the HITECH Act and in the understanding that EPHI implementation
is likely to accelerate quickly, HHS has taken steps to further define the landscape in terms of
compliance under the HIPAA Security Rule. The action has centered around two main areas:
Four corresponding tiers of penalty amounts that significantly increase the minimum
penalty amount for each violation
In August 2009 HHS and the Federal Trade Commission (FTC), respectively, published rules on
when and how HIPAA covered entities and vendors of personal health records (PHR) such as
Google Health and Microsoft’s Health Vault must notify individuals of security breaches.
The HHS rule requires HIPAA-covered entities to provide affected individuals with timely notice
(less than 60 days) upon the discovery of a breach of their unsecured EPHI. HHS regulations
mandate that notice include certain information, including a brief description of the event that led
to the breach, the specific EPHI involved, and the steps affected individuals should take to protect
themselves from harm. In cases where a breach involves more than 500 individuals, the covered
entity is required to notify the media as well as HHS.
Importantly, the risk of and responsibility for an EPHI breach is not limited to the covered entity.
Business associates of a covered entity—including entities both “covered” under HIPAA and
entities that are not defined as “covered” such as some third party administrators and health record
vendors—also are required to notify an affiliated covered entity of an EPHI breach, and the covered
entity must then provide the affected persons with notice. In this sense the integrity of EPHI is the
responsibility of all business associates in the chain, regardless of where the EPHI is physically
located.
The inadvertent disclosure of EPHI from a person authorized to access EPHI at a covered
entity or business associate to another person authorized to access EPHI at the covered
entity or business associate; and
Disclosures in which an unauthorized recipient would not reasonably have been able to
retain the EPHI (e.g., if a covered entity mistakenly sends an explanation of benefits to the
wrong person, which is then returned by the Post Office, unopened)
HIPAA ADOPTION
Timelime of
Healthcare Security
Legislation
for safeguarding • Breach notifications to customers/patients and the media (reputation damage)
1. A thorough EPHI security assessment will comprehensively evaluate all Standards of the
HIPAA Security Rule
2. Stratify security risks according to a level of urgency in terms of the potential business
impact of a HIPAA Security Rule breach
5. Maintain complete independence from the sales and management of EPHI security
HIPAA law requires products
covered entities to
conduct routine
Glossary
evaluations of
ARRA: The American Recovery and Reinvestment Act of 2009. A large economic stimulus bill
the effectiveness signed into law by President Obama in February 2009.
of EPHI security Business Associate: An entity that does business with a Covered Entity, as defined by HIPAA.
programs, policies, A business associate of a Covered Entity may or may not be a Covered Entity itself. Regardless, the
actions of Business Associates impact each of the other organizations as it concerns safeguarding
and procedures. EPHI.
Covered Entity: A healthcare industry organization that is subject to the laws and standards of
HIPAA.
EPHI: Electronic Protected Health Information. Similar to protected health information (PHI), but
distinguished by its electronic form.
HHS: The Department of Health and Human Services, a branch of the US federal government.
HIPAA: Health Insurance Portability and Accountability Act of 1996. A large and comprehensive
law dealing with numerous aspects of healthcare programs, including the privacy and security of
health information.
HIPAA Security Rule: The portion of HIPAA law that specifically focuses on safeguarding
EPHI—ensuring the confidentiality, integrity and availability of the data.
HITECH: The Healthcare Information Technology Economic and Clinical Health Act. A component
of ARRA that promotes the adoption and meaningful use of health information technology by
providing monetary incentives for healthcare entities that implement electronic health records, and
by eventually penalizing those entities that do not adopt electronic health records.
ISP: An Information Security Program provides the framework of the necessary processes and
procedures to manage risk to information assets.
OCR: Office of Civil Rights. The department within HHS responsible for enforcing HIPAA Security
and Privacy laws, and investigating allegations of PHI violations.
About Redspin
Redspin, Inc. delivers the highest quality, independent Information Security Assessments through
technical expertise, business acumen and objectivity. Redspin customers include leading companies
in the industries of healthcare, financial services, hotels, casinos and resorts, as well as retailers
and technology providers. Some of the largest communications providers and commercial banks
rely upon Redspin to provide effective technical solutions tailored to their business context, allowing
them to reduce risk, maintain compliance and increase the value of their business unit and
IT portfolios.
www.redspin.com