As part of my work out of IdeaLab and building secure and federally compliant digital health companies and products, I get asked several times about HIPAA compliance and ways to achieve it. These questions are from different viewpoints and use cases such as investments, enterprise usage, insurance, technology-related etc.

At its heart, HIPAA is about giving the right of the protection of the privacy and security of patients identifiable information. There is a lot of stuff which has been written about it in different blogs and news site but I wanted to put together a simple checklist which deals with some things that every company can take in order to work towards HIPAA compliance. This list is also applicable to digital health and Healthcare IT startups which are now sprouting across the country. Vendors who deal with healthcare companies and data can also use this list as a starting point. HIPAA compliance is not just necessary from the standpoint of compliance (and marketing as companies tend to use it for), but also a good way to avoid expensive data breaches. Here are examples of some ways healthcare data is breached: http://www.artilient.com/10-ways-that-healthcare-data-gets-breached/

Subscribe to latest posts

As a disclaimer (and as required of me by my legal team), I am not providing legal or security advice. I am sharing some of my own experiences as part of building digital health products and companies out of IdeaLab. This list is by no means a complete checklist and I would like to welcome other experts to contribute to this list and share their experiences as well. Please always consult your legal and security advisory team also before implementing any changes.

1. Hosting: All your databases should be hosted with companies which offer a Business Associate Agreement (BAA). Your databases may contain potentially sensitive data (such as confidential Protected Health Information or patient data) and thus it is important to use a premium service which offers a BAA.

Here are some examples of companies which offer a BAA to healthcare companies which meet specific criteria:

AWS: http://aws.amazon.com/compliance/

FireHost: http://www.firehost.com/secure-cloud/compliant/hipaa

Rackspace: www.rackspace.com/print.php?page_id=8‎

I personally like to use AWS for our products and companies out of SeedHIT for the ease of use, pay-what-you-use and DIY tools it offers to its users.

 

2. SSL encryption: Obtaining an SSL certificate from a reputable provider ensures that there is secure transmission going on between the browser session of your users and your servers. Strong encryption can reduce the chances of your data communication being overheard by an unauthorized person during transmission.

A padlock icon and “https” in the address bar indicates that SSL encryption in transit is taking place.

There are several levels of SSL available starting with 128-bits. For HIPAA compliance, use a minimum of 256-bit SSL. You can upgrade to as much as 2048-bits if you would like (or your enterprise clients insist upon).

Some vendors for SSL certificates include:

Symantec (formerly VeriSign): http://www.symantec.com/verisign/ssl-certificates

GoDaddy: http://www.godaddy.com/ssl/ssl-certificates.aspx

DigiCert: https://www.digicert.com/order/order-1.php

For those who are interested in more detailed reading about how encryption applies to medical providers, I thought this article from the American Medical Association was very useful: http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf

 

Subscribe to latest posts

3. Encryption at Rest: This requires that all your databases and file systems as well as servers and disks are encrypted. This reduces the likelihood of PHI being accessed by unauthorized persons in the event of hacking or theft.

Here are some companies whose products can be used:

Truecrypt: http://www.truecrypt.org/ (Open source)

Gazzang: http://www.gazzang.com/solutions/achieving-compliance/hipaa

Microsoft Encrypting File System: http://windows.microsoft.com/en-US/windows7/What-is-Encrypting-File-System-EFS

 

4. Audit trail program: Ensure that all actions and interactions of all your users are tracked along with their timestamp. Also, al

l processes happening within the system need to be tracked. From the user standpoint, think about it as: WHO did WHAT, WHEN was it done and WHY was it done.

This is useful in the event of any audits that might be needed as part of data breaches and determine

unauthorized access.

 

5. Data retention rules: Ensure that all your data is archived after last use for a minimum of 7 years and available upon request by an authorized person or entity. In the event that the data belong to the PHI of a child younger than 18 years old, then ensure that the data is available for at least 7 more years after the child turns 18 (adult) and after last use. To be on the safe side, consider retaining all data for 25 years after last use. Of course, there is a significant cost factor to this.

Here’s a comprehensive report from US HHS: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf

6. Session timeouts: Ensure that a client session times out and logs the users off automatically after 3-minutes of non-activity. This helps with non-authorized access to PHI. When the user wants to re-use the system, he/she will be required to log back in with full credentials.

 

Subscribe to latest posts
7. BAA with vendors: Any time you use a vendor such as programmers or consulting companies, make sure you execute a BAA. When it comes to vendors touching live PHI (such as production support and SysAdmins) should be doing so from within the continental United States.

 

8. Have secure backups done of your data: Make sure you take back-ups of all your data and databases. Of course, all storage of these back-ups should be done with HIPAA-compliant storage companies only which offer BAA’’s (as mentioned in #1 above). Ideally you want to back-up your data in a vendor and location which is different from your primary data storage. Also, all back-ups just like primary data should be encrypted.

This is required for disaster recovery and emergency operations.

 

9. Restrict access to right people/ unique user identification: Establish the right policies and procedures to ensure that only people who should be accessing certain aspects of your application and / or tPHI are able to do so. This access should also be tracked using an identifiable number or user name which is unique to the specific person. This identifiable information should be contained in the Audit Trail (#4 above). As an eg., a user’s email ID could be used to create a user name in order to grant that user access to your application and any PHI, if required.

Also, there should be a way to establish access to PHI in the event of emergencies such as natural disasters and technical crashes.

For more details, check out: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

 

10. 2-factor authentication: In order to establish an additional layer of verification on the users access PHI within your system, establish a second authentication layer on top of the username and password asked as part of the login information. This could be implemented in several ways such as:

— Asking for information such as pet’s name

— Calling or texting the mobile number associated with your account

— Using a security token for a 2nd randomly generated password

This ensures that in the event the user did not follow proper protocol for their login, a 2nd level authentication will hopefully be able to prevent unauthorized access.

For more details, check out: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf

 

BONUS (10 + 1)

11. Using secure email: Ensure that all data and PHI being used in any communication remains on a HIPAA-compliant server. This relates to #3 above. Thus, it is important to use a company which provides such an email service. I personally use SafeDr for this (Disclosure: SeedHIT has developed and owns SafeDr).

Subscribe to latest posts

 

I would love to hear other safeguards that you have implemented in your company which either stored PHI or has access to it as a vendor. Here’s the complete list of HIPAA tecnical safeguards too for your reading pleasure: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

–nrj

Subscribe to latest posts

News of penalties for data breaches and HIPAA violations are splashed and highlighted in every media outlet covering Healthcare IT. The magnitude of these numbers is mind boggling (in millions) both in terms of the number of individuals impacted as well as the penalties enforced by the United States Department of Health and Human Services.HHS-Logo

The HITECH Act requires that all reported data breaches of unsecured protected health information affecting 500 or more individuals is listed and made available to the public along with the cause of the breach. Here’s some impact of breaches over the past 3 years: http://www.artilient.com/medical-records-for-over-21-million-individuals-impacted-due-to-security-breaches-in-last-three-years/ . To get a list of some reported breaches which have impacted over 500 or more individuals, click here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

As part of my work at SeedHIT, we come across several use cases of providing the right tools for our enterprise clients to SeedHIT Logo for BCprotect their data as part of communication, collaboration and storage. I wanted to create a list of some of the ways that healthcare data gets breached. The objective of this post is to not critique the companies which have been impacted by these breaches but rather to create awareness.

Subscribe to The Blog of Nikhil Jain by Email

1. Theft: This kind of breach happens when data is intentionally stolen. The theft could be of data in the form of electronic physical devices or could be electronic data itself over a network or of old-fashioned paper. Of course, there are a lot of other imaginative ways to steal data and causing breaches for enterprises.

An examples of healthcare data breach by theft includes:

— Two back-up tapes belonging to New York City Health & Hospitals Corporation’s North Bronx Healthcare Network were reported to be stolen in December 2010. The tapes reportedly contained personal health information of 1,700,000 individuals

2. Loss of devices: This could be as a result of enterprises or individuals losing possession of the physical device which actually contains healthcare data on it. BYOD lostLots of times, the device which contains the healthcare data belongs to the individual (BYOD) and in other cases, the device belongs to the enterprise. The devices might not necessarily be meant for personal use. They could also be enterprise-level devices such as back-up tapes.

Here are some recent examples of healthcare data breaches as a result of devices being lost:

TRICARE Management Activity 4,901,432 Individuals Affected in September 2011 and is now facing a $4.9 billion class-action lawsuit. Occurred due to loss of back-up tapes. These tapes could have possibly contained the personal and protected health information.

Health Net, Inc reported the loss of server drives in January 2011. These server drives contained personal information such as Social Security numbers, names and personal health information of 1,900,000 individuals.

— Miami, FL based AvMed, Inc. reported the loss of two encrypted laptops containing personal information including Social Security Numbers and health records. The loss which occurred in December 2009 supposedly impacted 1.22 Million individuals.

 

3. Hacking: When an unauthorized person gains access to the computer networks and devices, it can potentially result in the hacker getting their hands on sensitive patient information. Once a hacker gets hold of this sensitive information, it could potentially fall in hands of other areas of organized crimes too. Hacker

Utah Department of Health reported that one of its servers containing information such as addresses, social security numbers and date of birth was hacked into in March 2012 and impacted 780,000 individuals.

 

4. Incorrect Mailing: This happens when letters including sensitive patient data is inadvertently sent to the wrong people at the wrong addresses.USPS First Class

MO HealthNet reported in June 2013 that it mailed out information of its patients to the wrong addresses. The information contained in the letter potentially included Name, date of birth and last 4 digits of SSN.

 

5. Loss of Paper: Lots of information is still captured on paper and left on paper and file folders. This represPaper Recordsents several instances of breach such as the paper falling in the wrong hands or shredding not done properly or paper just lost.

In May 2007, Georgia Division of Public Health reported that 140,000 paper records containing SSN’s and medical histories were impacted as those records were “discarded” without shredding.

Subscribe to The Blog of Nikhil Jain by Email

6. Unauthorized access/ Disclosures/ Internal theft: This happens as a result of employees getting curious about certain patient’s medical history. This patient could be a celebrity or even a family member or friend. This unauthorized access could also have been made for personal financial gain.Internal Theft

— In June 2013, Los Angeles based Cedars-Sinai Medical Center reported the unauthorized access of TV personality Kim Kardashian: http://www.latimes.com/news/local/la-me-hospital-security-breach-20130713,0,7850635.story

Office of the Medicaid Inspector General reported that in October 2012 an internal employee had emailed himself over 17,000 Medicaid patient records. These records potentially included information such as patient names, date of birth and social security numbers.

 

7. Malware: This is a software or program which is designed to get access to the sensitive data in your computers when it is able to infect that computer successfully. When such a program gets access to the company’s private computer systems, it is then able to create data breaches. This method of data breach is gaining a lot of popularity recently.

La Grange, TX based St. Mark’s Medical Center reported that an employee’s computer containing patient information such as names, date of birth and social security numbers was infected by a malware in 2012. Almost 2,900 records were stored on that computer.

8. IT issues: This could be as a result of issues within configuration of internal IT or as a result of not addressing key security aspects within the organization and also enforcing it with third-party vendors.IT

— Nashville, TN based Cogent Healthcare reported that the firewall of one of its vendor’s website was down. This resulted in Google’s spiders including almost 32,000 patient records in its index in May 2013.

 

9. Lack of encryption: Any sensitive data should usually have been encrypted in order to prevent unauthorized access. This also means hardware such as laptops should have encrypted hard drives. Data breaches also happen when devices fall in the wrong hands and there is no encryption on them.

ssl-encryption–. Chattanooga, TN based Blue Cross Blue Shield of Tennessee reported the theft of several unencrypted computer hard drives. Occurring in October 2009, the theft impacted over 1 Million individuals.

 

10. Lack of internal IT policy and / or its enforcement: This happens when employees do not follow the laid out policy of the enterprise. This might happen due to lack of internal company education on policies. An example of an internal IT policy is that patient data should not be stored on hard drives of laptops.

SynerMed reported that in April 2013, an employee’s laptop containing member information of Inland Valleys IPA such as names and date of birth was stolen from his automobile. This breach impacted over 1,500 individuals.

BONUS (10 + 1):

11. Improper Handling/ Disposal: This breach usually happens when an employee or a third party vendor does not follow proper policies and procedures regarding handling of sensitive data.Improper disposal

University of Virginia’s 18,000+ students’ Social Security Numbers were included in brochures by Aetna Health Care’s third party vendor in July 2013

 

Texas Health Harris Methodist Hospital Fort Worth reported in May 2013 that a portion of the microfiche which was supposed to be destroyed by its vendor, Shred-it, was found in a park. The microfiche could included information such as patient names, addresses, dates of birth and Social Security numbers

 

What are some instances of healthcare data breaches that your organization has been part of or you have observed?

nrj

Subscribe to The Blog of Nikhil Jain by Email