Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, providers face significantly stiffer penalties for health care data breaches than they used to -- not to mention a serious commitment from the Department of Health & Human Services (HHS) to enforce those penalties and publicize all major data breaches. The HITECH Act also broadens the definition of a covered entity under the Health Insurance Portability and Accountability Act; many organizations that had not been required to comply with HIPAA privacy and security rules must now do so.
This guide examines the new health care data breach rules, the penalties for breaking them, and the best practices that will help health care providers and their business associates prevent data breaches. It is part of SearchHealthIT.com's Briefings series, which is designed to give IT leaders strategic guidance and advice that address the management and decision-making aspects of timely topics.
- What are the new health care data breach rules?
- Have the data breach rules been made official?
- What are the ramifications of a data breach?
- Why is encryption so important?
- How can a health care provider prevent a data breach from happening?
- More resources
HIPAA legislation applies only to those organizations defined as covered entities -- generally, hospitals, doctor's offices or health insurers. The HITECH Act makes HIPAA's data breach notification laws apply to business associates as well. The definition of business associate has been expanded also. Under HIPAA rules, this term referred to a health plan, clearinghouse or other group otherwise involved in the disclosure of personal health information (PHI). The HITECH Act deems subcontractors, health information exchanges, regional health information organizations and e-prescribing gateways to be business associates as well.
Additional changes restrict the use of PHI. Whereas HIPAA allows the sale of PHI, the HITECH Act, by and large, prohibits it. Tighter restrictions have been placed on the use of PHI in marketing communications; furthermore, these restrictions now apply to business associates as well as covered entities. Finally, patients must be given a copy of their PHI if they ask for it, and the fee charged for this copy cannot exceed the cost of the labor to prepare it.
Specifics about new data breach fines are covered below.
Learn more in "How the HITECH Act changes HIPAA compliance." Also:
- Role of security and privacy in meaningful use
- EHR certification criteria correlation to HIPAA Security Rule
- Discovery of data breach under HITECH raises big compliance questions
- New HIPAA data breach notification rules put health industry on notice
- HIPAA covered entity and business associate agreement requirements
- HIPAA compliance: New regulations change the game
- Medical records privacy: It's not just HIPAA rules anymore
Though the new data breach rules went into effect Sept. 23, 2009, technically they have not been made final. In May, HHS sent its version of the data-breach notification final rule to the Office of Management and Budget (OMB) for review. Two months later, however, HHS said it was withdrawing the final rule. HHS intends to consider the data-breach notification final rule further, submit it for review and publish it in the Federal Register at some point in the next few months. In the meantime, the provisions of the interim final rule, published on Aug. 24, 2009, remain in effect.
The HHS announcement gave no official reason for withdrawing its version of the data-breach notification final rule, but one particular part of the final rule drew the ire of some members of Congress. Its material harm threshold would require providers to notify patients in the event of a data breach that results in material harm. This, the legislators say, violates the spirit of the HITECH Act.
It also should be noted that the Office of the National Coordinator for Health Information Technology (ONC), a division of HHS, is considering additional data breach requirements that would apply to personal health record (PHR) services, such as Google Inc.'s Google Health and Microsoft's HealthVault. Under the HITECH Act, purveyors of PHR services are not considered HIPAA covered entities.
Learn more in "Breach notification final rule withdrawn from OMB review." Also:
- Federal data breach laws still on hold as compliance deadline looms
- Rules still pending on privacy and security requirements for PHRs
- PHR services are great -- until the server goes down
For starters, the fines are much greater than they used to be. Under provisions in HIPAA, which was passed in 1996, fines ranged from $100 to $25,000. Now providers are fined $100 to $50,000 per violation, with maximum fines ranging from $25,000 to $1.5 million. The disparity reflects the difference between an accidental data breach (the least serious) and one that resulted from willful neglect and was not corrected (the most serious). In all cases, HHS conducts an investigation to determine if willful neglect has occurred.
Data breach notification rules also have changed. HIPAA regulations did not require entities to notify patients of a data breach, leaving that subject to state data protection laws, but the HITECH Act requires notifying patients individually (by first-class mail unless patients wish to receive email messages, or in an emergency, by telephone) whenever a breach of unsecured PHI has occurred. This notification must say when the data breach occurred, which PHI was affected, how the breach is being repaired and how consumers can protect themselves.
In addition, any health care data breach that involves more than 500 patients in one state must be reported to that state's local media outlets. This requirement, combined with the overall tightening of the data breach rules, has resulted in nearly 200 data breaches being identified since the HITECH Act went into effect. A complete list of health care data breaches appears on the website of the Office for Civil Rights within HHS.
Learn more in "Health care data breach can hurt provider's wallet -- and its image." Also:
- HITECH Act security provisions catching health care providers unaware
- Breach notifications up in wake of new HIPAA security, privacy rules
- Data breach notifications on the rise at Office for Civil Rights
- Office for Civil Rights offers HIPAA enforcement update
- Mass. hospital deals with lost backup data files
- Health Net health care data breach affects 1.5 million
Under the HITECH Act, if a covered entity or business associate loses encrypted data, the event does not constitute a data breach. Essentially, encryption gives organizations a safe harbor. Data can be encrypted using tape backup software -- or better yet, it can be encrypted before it is copied to tape (that is, while the files are still on the network). In addition, data loss prevention software can alert administrators when someone is trying to transmit unencrypted data over the network or save such data to a thumb drive.
Data encryption alone, however, does not make organizations immune to a data breach. Other areas of a health IT infrastructure -- namely, the network; the backup tapes themselves; and such hardware as laptops, thumb drives and corporate smartphones -- also should be encrypted to keep unwanted visitors at bay. It also should be noted that disk encryption will not suffice on its own. Disk encryption is effective for mobile devices and removable storage, but it does not protect data when a computer is in use or when data is being transferred over a network.
Learn more in "Encryption tops new rules of electronic health records compliance." Also:
- Health care data security now defined by encryption, thin clients
- Do your backup tapes hold PHI that is not encrypted?
- Disk encryption is not the panacea for compliance
- Using data loss prevention software to comply with new HIPAA policies
There are several other steps the provider can take.
- Consider using the Risk Management Framework published by the National Institute of Standards and Technology (NIST) to conduct a HIPAA-mandated risk assessment of all IT systems that contain PHI. (You can take that one step further by considering not just PHI but also personal identifiable information [PII].)
- Consider using an identity management system, which can help administrators manage login and authentication, access control, privilege validation, and ID decommissioning.
- When developing an EHR security program, adhere to standards published by such organizations as NIST, the International Organization for Standardization and the Health Information Trust Alliance. Such standards have been written with HIPAA compliance in mind.
- Keep networks secure. One way to do that is to partition the network and keep patient and guest data on separate partitions.
- As required by the HIPAA Security Rule, develop a disaster recovery plan that spells out exactly what will be needed to recover PHI in the event of a fire, vandalism, natural disaster or system failure.
Above all, regularly educate employees on HIPAA's privacy and security provisions. Emphasize the importance of keeping patient data safe and secure. Not just millions of dollars are on the line if a data breach occurs -- a medical center's reputation is also at stake.
Learn more in "New data breach laws highlight importance of planning, preparation." Also:
- Risk management framework is key to HIPAA compliance
- Updating HIPAA and HITECH Act policies with PII
- Using an identity management system enables HITECH, HIPAA compliance
- Addressing EHR security in a changing regulatory market
- Addressing HIPAA privacy compliance on hospital wireless networks
- What is a HIPAA disaster recovery plan?
- Create a data breach response plan in 10 easy steps (SearchSecurity.com tip)
- How to develop a data breach response strategy (Information Security Magazine feature)
- How will mandatory encryption standards affect IT operations? (SearchCompliance.com FAQ)
Let us know what you think about the briefing; email Brian Eastwood, Site Editor.
This was first published in December 2010