Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.


Report: Heartbleed to blame for Community Health Systems breach

If this report is true, the Community Health Systems data breach that affected 4.5M patients would be the first known exploit of the Heartbleed vulnerability. However, it is likely not the last. A report on the Errata Security blog in June noted that 300,000 vulnerable systems remained unpatched two months after the vulnerability was disclosed.

Here’s more from TrustedSec:

While no technical details of the attack had previously been disclosed, information security firm TrustedSec, citing sources familiar with the incident, said on Tuesday that the initial attack vector was through the infamous “
Heartbleed” vulnerability in OpenSSL, which provided the attackers a way in, eventually resulting in the compromise of patient data.

“This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation,” TrustedSec wrote in a
blog post. “Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.”

While TrustedSec did not share much on the source, the firm is reputable. As background, David Kennedy, TrustedSec's founder and Princial Consultant, formerly worked for the NSA and also served as Chief Security Officer at ATM maker Diebold. He is also founder of the
Derbycon conference.



Community Health Systems data breach affects 4.5M

Yesterday Community Health Systems filed a public report with the U.S. Securities and Exchange Commission (SEC) detailing a data breach that affects 4.5 million individuals. This is a serious breach, especially because Social Security numbers were stolen along with names and birth dates. Together, the three pieces of information are a jackpot for identity thieves because they cannot be changed as easily as a password or email address, and are often all that are needed to open a bank account or obtain a credit card.

In July 2014, Community Health Systems, Inc. (the “Company”) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. . .The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company. The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers.

With the current state of security in the healthcare industry I expect outside attacks on vulnerable providers and business associates will increase.


NIST Guidelines on Security and Privacy in Public Cloud Computing

Last week I was asked if there was any law or regulation that would prevent a third party business associate (BA) from storing their customer’s Personal Health Information (PHI) in a cloud environment.

The short answer is no, but the more complex answer is that HIPAA holds BAs and their subcontractors to the same standards as the health care providers themselves. Thus it is critical that serious consideration is given to how the data is to be protected. In this case, the cloud provider would also be a BA and the agreement should reflect their responsibilities in securing the data and their duties if a breach does occur.

One source of guidance is
NIST 800-144: Guidelines on Security and Privacy in Public Cloud Computing. Here’s the abstract:

Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.



$800,000 HIPAA Penalty for Leaving Boxes of Documents on Driveway

With all of the attention being paid to the Target and eBay breaches - justifiably - it is important to remember that data protection laws may extend to paper records as well.

Parkview employees, who had been notified that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue, according to the resolution agreement between OCR and Parkview.

"All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk," says Christina Heide, acting deputy director of health information privacy at OCR. "It is imperative that HIPAA covered entities and their
business associates protect patient information during its transfer and disposal."



When Do Conduits Cross the HIPAA Business Associates Line?

The Legal Health Information Exchange has published a lengthy article that examines the boundaries of the HIPAA Conduit Exception as they apply to Business Associates (BAs) who also handle Personal Health Information (PHI). BAs were first explicitly brought under parts of HIPAA’s regulatory umbrella as a result of the 2009 HITECH Act, and more explicitly with the release of last year’s Omnibus Rule.

The Preamble to the Final HITECH Rule states:

“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services [and their electronic equivalents.]  As we have stated in prior guidance, a conduit transports information, but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”

Here’s a summary of the author’s conclusion.

Therefore, a HIPAA BA relationship is generally not implicated by an HIO, HISP or similar entity simply performing just fully encrypted data routing or transmission activities for a covered entity.  A HIPAA BA relationship
will, however, be found where such HIO, HISP or similar entity performs more than such limited activities, such as, for example, data aggregation, processing, hosting and transmission (other than as a conduit), encryption/decryption functions/management, record locator/querying functions, auditing and other oversight and governance functions requiring access to PHI, and creating data sets of de-identified information.

Read the whole article here.

WV Supreme Court: Health Data Breach Victims Have Standing to Sue

If other states adopt this ruling it would represent a fundamental shift in the rights of patients who suffered a loss of personal data. It would also factor into the risk analysis for covered entities and their business associates.

The most frequently relied upon defense against suits for damages for a release of personal information is that the plaintiff or class of plaintiffs lack standing because the harm they suffered as a result of the breach is conjectural or speculative.

The Court’s
opinion held that representatives of the class of medical clinic patients whose names, contact details, social security numbers and medical information had been accidentally posted to a publicly accessible web site had standing to sue the clinic notwithstanding that no class representative had established that anyone had actually accessed the mistakenly released information and no one had suffered any quantifiable economic loss as a result.



Report: Healthcare has seen a 13 percent increase in botnet activity

Using real-world case studies and findings from over 3 billion analyzed attacks, the 2014 NTT Global Threat Intelligence Report (GTIR) demonstrates strategies to minimize threat impact and compress the threat mitigation timeline. Among key findings of the study:

* The cost for a "minor" SQL injection attack can exceed $196,000;
* Anti-virus applications fail to detect 54 percent of new malware;
* Healthcare has seen a 13 percent increase in botnet activity.

Read the full report


OCR Releases HIPAA Security Assessment Tool

Last week the Department of Health and Human Services released a tool to assist covered entities in complying with the HIPAA Security Rule requirement to conduct a risk assessment. The tool is aimed at small to medium health care providers, and was developed jointly by OCR and the HHS Office of the National Coordinator for Health Information Technology (“ONC”).

Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI).  The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI.  The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.

It follows the National Institute of Standards and Technology’s development of a similar
toolkit, and contains 156 questions and resources that are designed to help health care providers.

More information and downloads are available


Doctor Sued for Posting Pictures of Drunk Model on Facebook

The reprehensible behavior displayed by this doctor violates basic human decency, and likely won’t be corrected by HIPAA laws or an employee training program.

A former Northwestern University student claims that after she was admitted to an Illinois hospital for extreme intoxication, a doctor there took photos of her and posted them to social media sites with commentary about her condition.
. . .
Approximately 15 minutes after she had regained consciousness, Puppala, who was on duty at the time and knew Chernyakova through a mutual friend, visited her hospital room, according to the complaint.

He allegedly asked to view her medical records, and returned several hours later to take photographs of her "while she was on the hospital bed, crying and attached to an IV," according to the complaint. He then posted these photographs on Instagram and Facebook, accompanied by "attached statements of commentary" about Chernyakova's condition, according to the complaint.

Puppala refused to delete the photographs when he was asked to do so by hospital security, according to the complaint.



A Sampling of HIPAA Fines and How They Could Have Been Avoided

Yesterday I posted a terrific article from Krystyna Monticello of Legal Health Information Exchange that discussed Affinity Health’s $1.2M settlement after improperly disposing of photocopiers that contained PHI.

At the bottom of that same article Krystyna summarizes a number of recent data breach settlements and the causes behind the breaches. It deserves its own post and should serve as a warning to any HIPAA covered entity or business associate responsible for storing or handling PHI.

  • How These Breaches and Fines Could Have Been Avoided:
  • (1) Address need for encryption for everything with PHI, (laptops, mobile devices, photocopiers.)
    • Idaho Hospice ($50K)
    • Providence Health ($100K)
    • Mass Eye/Ear ($1.5M)
    • Alaska DHSS ($1.7M)

  • (2) Dispose of ePHI properly
    • CVS ($2.25M)
    • Rite Aid ($1M)

  • (3) Do not remove PHI or ePHI from your facilities without assessing the risks and safeguarding it
    • Mass General ($1.5M)

  • (4) Choose your Business Associates' wisely (and have written BAAs with them)
    • BCBS Tennessee ($1.5M)
    • Arizona Cardiologists ($100K)

  • (5) Conduct COMPLETE risk assessments that address all ePHI no matter where it may be located (and update them as needed)
    • BCBS Tennessee ($1.5M)
    • Idaho State ($400K)
    • Arizona Cardiologists ($100K)
    • Wellpoint ($1.7M)

  • (6) Have written policies (and actually implement them)
    • Rite Aid ($1M)
    • CVS ($2.25M)
    • Cignet Maryland ($4.3M)
    • Mass General ($1.5M)

  • (7) COOPERATE with OCR!
    • Cignet Maryland ($4.3 million)


Copiers result in $1.2 million settlement and CAP for Affinity Health

More from the Legal Health Information Exchange:

Affinity had reported the breach after it was informed by CBS Evening News that confidential medical information was on the hard drive of a photocopier previously leased by Affinity.  Originally estimated at over 400,000 affected individuals, as reported by DataBreaches.net., OCR noted in its press release regarding the Resolution Agreement that up to 344,579 individuals were reported as potentially affected by the breach. 

CBS had purchased the copier along with three others as part of an investigatory report on digital photocopiers and identity theft.

The settlement includes a Corrective Action Plan (CAP) stating that Affinity must use "best efforts" to retrieve all photocopier hard drives that were previously leased and safeguard all ePHI maintained therein,
within five days.

Ouch. Read the full article here.


Document Disposal Company Responsible for old Patient Records found in Park

From the Legal Health Information Exchange:

Over 277,000 patients were notified by Texas Health Harris Methodist Hospital in Fort Worth ("Texas Health Fort Worth") earlier this month of a breach of their health information.  Only patients seen between 1980 and 1990 whose records were maintained on microfiche are affected or potentially affected by the breach.

Texas Health Fort Worth's business associate, document destruction company Shred-It, was contracted to dispose of the old microfiche records. As reported by the
Star-Telegram, because the microfiche could not be destroyed on-site, Shred-It was to transfer them to another facility for destruction.

Somehow "lost" or misdirected during transit, the records found themselves in a park where a concerned citizen found them and contacted the Dallas police.


HIPAA Omnibus Rule Released

It’s been a long wait but the HIPAA Omnibus Rule has arrived and it is big, weighing in at over 500 pages.

Mintz Levin has created a
handy reference chart detailing the changes from the 2009 update, or you can download the entire rule here. Business Associates (and your subcontractors), take note.


Personal Information Recovered From Wiped Hard Drive

Using software freely available on the Internet, two computer professionals explained how they recovered sensitive patient information, including Social Security numbers, from hard disk drives “professionally” wiped and discarded by a hospital.

Watch this WYFF Channel 4 Geenville-Spartanburg news video. (Or here.)

For effective data security businesses and consumers should shred old hard-disk drives when you discard them. Look toward NIST SP800-88 for more specific recommendations.



FDA To Regulate Mobile Health Apps?

The FDA proposes to regulate at least some mobile apps, according to the Washington Post.

For example, an app that allows radiologists to view X-rays on an iPad or that turns an Android phone into a heart monitor would be regulated. But an app that stores medical records or provides training videos to physicians would not.

The full draft of the proposal is available at the FDA's website.


Implementing EHRs in Rural Communities

Much of the discussion surrounding HITECH Act's push toward electronic health records has centered around hospitals and health exchanges in larger cities. But rural communities in Minnesota face special implementation challenges as well, according to Minnesota Public Radio.

Rural communities face special challenges, he says. "Financing is an issue. It's not just the hardware and software, but also the implementation process. There will be a productivity loss at first." Among the 102 hospitals counted as rural by the Minnesota Hospital Association in 2009, 59 percent operated with net margins of less than 5 percent, and a quarter were in the red.


Does HIPAA Apply To ISPs That Transmit Health Information?

In 2009, the HITECH Act expanded HIPAA's reach to include "Business Associates" (BAs) of the health care provider. A BA is defined as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

Under this analysis, are ISPs also governed by HIPAA regulations? It depends, according to Adam Greene and Michael Sloan of the law firm Davis Wright Tremaine. While the Department of Health and Human Services has stated the BA tag does not apply to entities serving as "conduits" by transmitting data from location to another, Green and Sloan suggest that ISPs who provide additional services may still reach BA status.

[T]o the extent a telecommunications carrier stores protected health information (PHI) by offering Internet access and related data services, it potentially faces obligations under HIPAA as a business associate. For example, an ISP may provide a limited number of e-mail accounts to all customers. If a small health care provider maintains unencrypted protected health information on an e-mail account where the emails are stored on an ISP’s servers, then this may take the ISP outside of the conduit exception and the ISP may become a business associate of the covered entity.

Green and Sloan recommend that ISPs:

  • Evaluate whether they are maintaining health information;
  • Determine whether they are a business associate under HIPAA; and
  • Assess whether a HIPAA-specific compliance program is required to meet existing requirements.

Read the whole advisory here.

This reasoning also applies to companies that provide network hardware for health care providers. When connectivity issues occur, these vendors may receive patient data in the form of tcpdumps or other network monitoring tools. According to HHS, If that data qualifies as identifiable PHI, then vendors should secure its transmission and storage.


Minnesota Clerk Denied Unemployment After Being Fired For HIPAA Violation

Last year Debra Girdeen, a file clerk for Fairview Red Wing Health Services, checked in an 81-year-old woman for a mammogram. During the check-in Girdeen improperly accessed the patient's medical information. When first questioned Girdeen declared that she was looking for a mammogram order, but later claimed she was concerned for the patient's well-being because the family member accompanying the patient was a "creep."

Medical Records
Unfortunately for Girdeen this was her third HIPAA violation, and she was fired. Worse still, because she was fired for employment misconduct Girdeen was also denied unemployment benefits .

On appeal, Girdeen claimed that she should still receive unemployment because she had a good faith belief that she was acting out of concern for the patient. But there is not a vulnerable-adult exception to either Fairview's policy or the HIPAA privacy laws, a fact Girdeen admitted to knowing. The Minnesota Court of Appeals held that "an employee's good-faith belief in the wisdom of her actions is 'irrelevant' when the employee refuses to abide by an employer's reasonable requests."

There was a time when employees committing a HIPAA violation carried little enforcement weight, but those days appear to have passed.

(Girdeen v. Fairview Red Wing Health Servs. Corp., Minn. Ct. App., No. A10-1774, unpublished opinion)


"ATTENTION VIRGINIA I have your sh**!"

In April of 2009 a hacker infiltrated the network of the Virginia Department of Health Professions and stole over eight million patient records and 35 million prescriptions. The hacker posted a note on another site which read:

"ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("

The note went on to demand $10 million within seven days, after which he threatened to put the information up to the highest bidder. Virginia officials determined they did have a proper backup and did not pay the ransom. However, Virginia notified only the 530,000 individuals whose records were believed to contain social security numbers rather than all eight million patients affected by the breach. That means almost 7.5 million consumers were not alerted to the risk that their medical data may have been compromised.

In one way Virginia officials were lucky. Had the incident occurred just five months later - after HITECH's breach notification rule went into effect - the Virginia Department of Heath would have been required to notify all 8.2 million patients of the incident, and incur the associated costs. Those costs aren't trivial: 2011 estimates suggests a data breach costs $214 per compromised record and averages $7.2 million per data breach event.

Under the HITECH Act, covered entities and business associates must follow the data breach notification reporting obligations when there is a breach of unsecured personal health information (PHI). So what does "secured PHI" look like? The DHHS has issued guidance that amounts to a rather narrow window, as there are only two methods identified that would render patient data unusable, unreadable, and indecipherable:
encryption and destruction.

Or looking at this another way, covered entities and business associates that would otherwise be obligated to follow HITECH's breach notification requirements have two "safe harbors" available: encrypting or destroying the data prior to the breach.

Image by simonok at www.sxc.hu.


HITECH Act: When Is a Breach Discovered?

In April of 2011, just as Sony's initial data breach affecting 77 million users came to light, the Verizon Risk Team released its 2011 Data Breach Investigations Report. The entire report is worth a read, but here's the fact that should give health care organizations pause: most breaches (86 percent) were discovered by third parties, not by the organization.

What does that mean in terms of the HITECH Act's Breach Notification requirement? Under the Interim Final Rule currently in effect, breach notifications must be made no later than 60 calendar days after the breach was discovered by the covered entity or its business associate.

Ah, but "discovered" can be a tricky term.

Under HITECH, discovery is defined as the first day on which a breach is known or should reasonably have been known by any officer, employee, or agent of the covered entity.

That means that covered entities must engage in due diligence and have reasonable systems for discovery of breaches in place. This may mean that a minimum level of technical measures capable of discovering breaches should exist, but also that awareness of the issue has been raised among staff through proper training of the risks and consequences of privacy violations.

In the past some organizations may have spent a minimal amount of time and resources on HIPAA training, consisting of a conversation once a year or having an employee watch a fifteen minute video after being hired. Whether those measures would meet the reasonableness standard of discovery set by HITECH is unclear, but I think that organizations that take shortcuts on training indicate a lack of preparedness in other areas. These organizations are not only more likely to experience a data breach, and also more likely to incur much higher costs if a data breach occurs.

REMINDER: HITECH Breach Notifications Are Still In Effect

The HITECH Act's Final Rule regarding data breach notification requirements was withdrawn last summer shortly after it was issued, partly due to the controversial harm standard that allowed providers to determine which breaches were serious enough to be reported.

But I have recently encountered some confusion as to whether the data breach notification requirements under the previous Interim Final Rule continue to be in force.  The text of the announcement on the Office of Civil Rights (OCR) website states “Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.”

That seemed pretty clear cut to me, but just to be sure I sent an email to the ONC for final verification. The response was swift and unequivocal: the Interim Final Breach Notification Rule is currently in effect. Thank you to the kind people at the ONC for such a prompt and clear response.
So if your organization was under the impression that the withdrawal of the Final Breach Notification Rule meant that breach notification was no longer required under HITECH, I'm sorry to be the bearer of bad news. You may have some work to do.


Proposed HITECH Accounting of Disclosures Rule Generates Controversy

The HITECH Act, passed in 2009, made available incentive money through Medicare and Medicaid reimbursements for health care providers to adopt and meaningfully use certified electronic health record technology. To ensure patient privacy and protect the integrity of the electronic medical record, HITECH also strengthened existing HIPAA privacy and security regulations in a number of ways. One of these ways was to seek to hold health care providers accountable by providing patients the right to know how their health information has been used or disclosed.

On Tuesday the first rule toward reaching that goal was proposed by the Department of Health and Human Services, and it is generating some controversy. The proposal would grant the patient the right to request an access report, documenting the specific individuals who electronically accessed and viewed their protected health information (PHI). Physical access of PHI would not be covered. The proposed rule also includes a provision that the health care provider or business associate must detail the reason PHI was disclosed to a third party, such as law enforcement, judicial proceedings and public health.

Not everyone is pleased with the proposed rule's requirements. Some are suggesting that in order for many health care providers to comply, the rule effectively mandates implementing new technology and processes that were previously voluntary. Others suggest these steps should have been taken long ago under existing HIPAA rules.

My take: The proposed rule would be a big change for providers that have not taken the protection of patient data seriously. But the impact of the rule reaches far beyond the practices of health care providers, because the HITECH Act also extended HIPAA's scope to include business associates. That means insurance companies, vendors and other third party associates must also be able to account for how they disclose patient data. For organizations that were not governed by HIPAA until 2009, this may represent a significant change in business practice. The one caveat is that the patient rights only apply to PHI maintained in a designated record set as defined in 45 CFR §164.501. Business associates that possess patient data not part of a designated record set need not account for the disclosure.

It will be interesting to see how this plays out. Even if the rule isn't passed as written, health care providers need to take a hard look at the systems in place to protect patient data because this issue isn't going away.

Image credit: kilokilo at www.sxc.hu.

Audit Shows General Health IT Security Lacking

Pasted Graphic
Wrapping up this week's discussion on encryption, I present a May 17 report from the Department of Health and Human Services Office of the Inspector General (OIG).

The report analyzes specifications published by the Office of the National Coordinator for Health Information Technology (ONC), who is charged with leading the implementation of an interoperable health information technology infrastructure.

The specifications reviewed included both the interim specifications released in January of 2010 and the final rule released in July. With the increased adoption of Electronic Health Records (EHRs), IT security has become more important than ever. But the OIG suggests the ONC's security standards come up short in several key areas, such as:

  • Encrypting mobile devices,
  • Requiring two-factor authentication when remotely accessing an HIT system and
  • Keeping computer systems and their virus scans current.

In my opinion, the OIG's audit is absolutely correct. These are basic IT security considerations (or should be) that need to be factored into any comprehensive security plan.

But implementing such procedures is like herding cats in a thunderstorm . . .

Read More . . .

The Ins and Outs of Encryption

Yesterday I mentioned that encrypting data often is considered a safe harbor when a data breach results in the loss of information that would normally trigger breach notification requirements. Today, we discuss encryption in a little more detail.

Data at Rest and Data in Motion

When considering encryption from a technical perspective, the first step is to determine the environment in which the data exists. For example, data stored on external hard drives, USB sticks, or PDAs would be considered Data at Rest. Securing data at rest may require encrypting the entire medium it resides on, such as a hard drive or USB drive. This is called whole-disk encryption, and is often used on laptops checked out of organizations. Alternatively, data at rest may also be secured by encrypting a single folder or file. The appropriate encryption solution varies depending on its environment, the amount of data to be secured and the type of storage device on which it is stored.

If the data needs to be encrypted over a company network or the Internet, it is considered Data in Motion. Data in motion is most often secured by connecting over an SSL (Secure Socket Layer) protocol, recognizable to the end user by the "https://" displayed in the web browser.

NIST Standards

When considering the implementation of encryption from a legal perspective, your best bet is to start with the standards established by the National Institute of Standards and Technology (NIST):

Data at Rest: NIST 800-111. This publication discusses full disk encryption, virtual disk and volume encryption, and file/folder encryption.

Data in Motion: NIST 800-52.

Check out NIST's site for additional publications, including their recent Cloud Computing Synopsis and Recommendations draft.


Minnesota's Data Breach Notification Law


Earlier this month, President Obama proposed a federal breach notification bill designed to inform those who may be at greater risk of fraud or identity theft due to the loss of personal information. But there is already a breach notification law on Minnesota's books that I suspect is frequently ignored: 325E.61.

The Minnesota law says in part that "any person or business that maintains [personal] data . . . shall notify the owner . . . of any [security] breach . . . immediately following discovery, if the personal information is reasonably believed to have been, acquired by an unauthorized person."

So, what exactly is personal information? For the purposes of the statute it is an individual's first name or first initial and last name in combination with:

(1) a Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any security code such as a PIN.

There's more to the law, but that's the gist of it.

But 325E.61 does provide a safe harbor: encryption. If the data is encrypted notifications are not required. This has been a common thread among federal and state breach notification requirements, as well as contractual obligations with credit vendors through the PCI-DSS standards.

So encrypt your data, folks. Tomorrow we will talk about what exactly "encryption" means.

Image credit: s-s at www.sxc.hu.


TED Talk: Redesigning Medical Data

If you have fifteen minutes or so and are interested in health care, watch this basic yet thought-provoking video. From the tagline: Your medical chart: it's hard to access, impossible to read -- and full of information that could make you healthier if you just knew how to use it. At TEDMED, Thomas Goetz looks at medical data, making a bold call to redesign it and get more insight from it.

My perception is that we have an opportunity to address several of these concerns through the movement toward Electronic Health Records. Some question whether a patient having only a partial understanding is worse than one that has no understanding at all, but I'm not among them. The patient/doctor relationship shouldn't be passive, and an informed patient is a critical part of that process.


NIST to release HIPAA toolkit


Health care providers will love to see
this contribution from the National Institute of Standards and Technology (NIST). Implementing the security measures necessary to protect the integrity of electronic health records is a MAJOR challenge in the shift toward EHRs. The legal ramifications of unsecured medical data are complex as hospital compliance officers try to handle a horde of state privacy requirements as well as HIPAA and HITECH.

It's a downloadable interactive application that poses a series of questions and offers activities regarding 42 implementation specifications for the HIPAA security rule, says J.P. Chalpin, director of engineering at Exeter. A prototype already includes some 1,000 questions organized in what amount to decision trees that point the user to appropriate issues to resolve.

Much work lies ahead. Just a couple of years ago
fewer than 20% of hospitals had any form of EHR in place. That is changing fast, however, and providers need to be aware of the security responsibilities that come with the new format. I'm confident the end result - better sharing and collaboration of data on both individual and aggregate levels - will be worth it.