Jail Time for Man Who Accessed Computer of a Competing Medical Practice

Posted on January 24, 2012 by Colin J. Zick

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients. The individual made this improper access in order to send marketing materials to patients at the other practice.

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta. He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building. He then used his home computer to hack into his former employer's patient database. He downloaded the names, telephone numbers, and addresses of his former employer's patients and then deleted all the patient information from their system. He subsequently used the patient names and contact information to launch a direct-mail marketing campaign for the benefit of his new employer. Even so, there was no evidence that patient medical information was accessed or misused.

United States Attorney Sally Quillian Yates said, “Anyone who gives their personal information to a doctor or medical facility does not expect that their information will be hacked and used to make money. The cost of medical care is already high enough without patients having to pay a heavier cost with the loss of their privacy. This is cybercrime. Electronic information is bought, sold and stolen, often by someone who knows a system and, with a few keystrokes, makes our community vulnerable.”

McNEAL was sentenced to 1 year, 1 month in prison to be followed by 3 years of supervised release, and ordered to perform 120 hours of community service. McNEAL pleaded guilty to the charge on September 28, 2011.

Tags: Cybersecurity & Cybercrime, Data Breach, Government Enforcement, HIPAA, Healthcare Industry Spotlight, computer, download, medical practice

HIPAA Breaches Reported to OCR Near 300

Posted on July 11, 2011 by Colin J. Zick

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265. This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed. Given that the last reported date of breach on the OCR's list is May 8, there are surely over 300 breaches that have now been reported.

Tags: 500, Data Breach, HIPAA, Healthcare Industry Spotlight, Legislation & Regulation, OCR, breach

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

Posted on July 8, 2011 by Colin J. Zick

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.

The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years. All in all, a very expensive proposition for UCLAHS.

Tags: Data Breach, Government Enforcement, HIPAA, Healthcare Industry Spotlight, Legislation & Regulation, Retail Industry & Customer Information Spotlight, UCLA, breach, celebrity, employee, privacy, security

Facebook Posting about Patient=HIPAA Violation=Physician Sanctions

Posted on May 12, 2011 by Colin J. Zick

The case of Dr. Alexandra Thran should cure any physician of the desire to discuss a patient on Facebook. Dr. Thran has been reprimanded by her state's Medical Board and lost her emergency room privileges. Although the posting in question did not list the patient’s name, Dr. Thran provided enough details so that at least one other person could identify the patient. The result was irreparable damage to her career.

In an article in the most recent Annals of Internal Medicine discussing this case, the author referred to Facebook as the “new elevator.” Those familiar with hospitals will recall the ever present signs reminding health care providers to take care about what they say on elevators. Whether you are in health care or in another industry, it is important to remind employees that what they say online is not private and that even when they do not name people by name, dots can be connected and that repercussions of doing so can be significant.

Tags: Facebook, HIPAA, Healthcare Industry Spotlight, Thran, patient, physician

Big HIPAA Breaches Now Number 265

Posted on May 2, 2011 by Colin J. Zick

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR's website. It's safe to expect these figures will continue to climb for the foreseeable future.

Tags: 500, Data Breach, HIPAA, Healthcare Industry Spotlight, Legislation & Regulation, OCR, breach

Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies

Posted on March 29, 2011 by Colin J. Zick

Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.

Tags: HIPAA, HITECH, Healthcare Industry Spotlight, Legislation & Regulation, Life Sciences, Medical Device, Pharmaceutical, Retail Industry & Customer Information Spotlight, Security Programs & Policies, privacy, security

What Is Inside Mass General's $1 Million HIPAA Settlement?

Posted on March 13, 2011 by Colin J. Zick

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement and Corrective Action Plan with the Department of Health and Human Services' Office of Civil Rights. This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals." There was, however, no indication that any of the PHI was ever used in any way.

While the $1 million penalty is an attention-grabber, the elements of the Corrective Action Plan are also likely to be at least as costly and will be very burdensome. They include:

three (3) years of reporting obligations from MGH to OCR;
adoption of new policies that OCR must review and approve;
training on these new policies that OCR must review and approve;
retention of a monitor who will conduct:
- unannounced site inspections of MGH’s locations/departments/practices;
- interviews with any members of the workforce who use PHI;
- interviews with any members of the workforce involved in implementing the safeguards required by the CAP;
- inspection of a sample of laptops and USB flash drives that contain ePHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures; and
- inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members.
submission of semi-annual monitor reports;
self-reporting of any "significant violations" of the CAP;
submission of an implementation report after 120 days of the CAP; and
annual reports to the monitor, which will be passed on to OCR.

This is a pretty heavy burden to carry around for three years. In fact, the CAP looks much more like a Corporate Integrity Agreement of the type entered into by a pharmaceutical manufacturer after a health care fraud settlement. I suspect that is precisely the message that OCR wanted to send.

Tags: Corrective Action Plan, Data Breach, Government Enforcement, HHS, HIPAA, Healthcare Industry Spotlight, Legislation & Regulation, MGH, Mass General, Massachusetts General Hospital, OCR, Office of Civil Rights, Resolution Agreement

HHS Fines Cignet Health $4.3 Million for HIPAA Violations

Posted on February 22, 2011 by Colin J. Zick

Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of $4.3 million for the violations, representing what OCR said was "the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule." The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

According to the HHS press release, in a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations was$1.3 million.

HHS also concluded that during the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations was $3 million.

Tags: CMP, Cignet, Government Enforcement, HIPAA, HITECH, Healthcare Industry Spotlight, fine

Public Discussion on Confidentiality and Privacy Issues Related to Psychological Testing

Posted on September 8, 2010 by Colin J. Zick

The Substance Abuse and Mental Health Services Administration ("SAMHSA"), in close cooperation with the Department of Health and Human Services Office for Civil Rights ("OCR"), is conducting a study of the “Confidentiality and Privacy Issues Related to Psychological Testing Data.” This study was specifically called for in section 13424 of the Health Information Technology for Economic and Clinical Health ("HITECH") Act.

HIPAA’s Privacy Rule includes special protections relating to the use and disclosure of psychotherapy notes; this SAMHSA study will address whether these special protections also be applied to test data that is related to direct responses, scores, items,forms, protocols, manuals or other materials that are part of a mental health evaluation.

To this end, SAMHSA has announced a regional public meeting in Chicago, Illinois,on October 7, 2010, to give the public a chance to learn about this issue and express opinions. Registration is necessary, but there is no charge for attending. Another regional meeting will beheld this year in Los Angeles in late November or early December. The meeting is designed for mental health professionals, consumers, health care providers and health plans, agency administrators, health information technology experts, and test developers

The significant concepts and issues being addressed in this project include:

· What activities and information are considered the “test data” that is part of a mental health evaluation? What are the relevant distinctions among test materials, raw data, and reports or assessments with respect to the level of protection currently afforded and/or otherwise necessary?

· Does the individual (i.e., the subject of the test data) need to know, or have an interest in, inspecting or obtaining a copy of such information?

· Are there circumstances under which test data should be disclosed to third parties?

· Should the individual’s authorization be required prior to such a disclosure? To whom should test data be released?

· How would affording mental health test data a higher level of protection affect the workflow in medical, behavioral health, or psychological practices? Are there any additional implications with respect to clinical integration efforts and the increasing availability of mental health services in general health care settings?

· How is the issue of greater protection for test data affected by State and Federal laws other than HIPAA?

· In light of the increasing reliance on electronic health records and the exchange of electronic health data, what are the implications of setting more stringent requirements for the use and disclosure of test data?

Small groups will consider these and other central questions following brief presentations by SAMHSA’s and OCR’s study team.

Tags: HIPAA, Legislation & Regulation, OCR, SAMHSA, breach", data, psychotherapy notes, testing

HHS Proposes Major Changes to HIPAA Privacy, Security and Enforcement Rules

Posted on July 14, 2010 by Colin J. Zick

We are reproducing here our July 12, 2010, Security & Privacy Alert, written by Colin J. Zick and Maia M. Larsson

On July 8, 2010, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking (“NPRM” or “proposed rule”)¹ modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Enforcement Rules² pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was enacted February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5. The NPRM will be published in the Federal Register on July 14. Stakeholders will have 60 days from the date of publication to submit comments on the proposed rule to HHS.

Overview

The proposed modifications in this NPRM are intended to implement recent amendments made under the HITECH Act and to “improve the workability and effectiveness” of the HIPAA Rules. In the NPRM, HHS describes section-by-section how the proposed regulatory changes would implement provisions of the HITECH Act. In addition, HHS has proposed technical corrections and other modifications to enhance the effectiveness of the Rules.³In summary, the proposed changes include:

Extending to business associates many of the requirements in the Privacy and Security Rules;
Establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
Restricting the disclosure of protected health information (“PHI”) to health plans;
Expanding individuals’ rights to access their information; and
Expanding HIPAA’s enforcement of privacy and security provisions.

Proposed Amendments to the Privacy Rule

With specific regard to “business associates,” HHS’s proposed rules confirm the extension of HIPAA privacy and security rules to them (essentially making “business associates” into “covered entities.”) HHS also seeks to modify the definition of “business associate” to conform with its statutory definition and to provide clarification on circumstances that would give rise to a business associate relationship. For example, HHS proposes to add patient safety activities to the list of functions and activities that would give rise to a business associate relationship if a person undertook those activities on behalf of a covered entity. Id. at 19. In addition, several types of organizations that did not exist when the HIPAA regulations were finalized a decade ago, such as a Health Information Exchange Organization, E-prescribing Gateway, or Regional Health Information Organization, will be treated as business associates. Id. at 20.

In an expansion of HIPAA beyond even the provisions of HITECH, HHS proposes to add that subcontractors (“those persons that perform functions for or provide services to a business associate”) to the definition of a business associate. Id. at 22. This has the potential to extent HIPAA to many entities not covered previously.

HHS discusses the new HITECH Act requirements affecting the Privacy Rule and proposes further regulatory changes including changes related to the definition of “marketing” and use and disclosure rules for PHI applicable to business associates. See id. at 64-82. To address the concern by covered entities and business associates regarding administrative burdens and costs related to implementing revised contracts around new proposed regulations, HHS proposes to allow covered entities and business associates (and their subcontractors) to continue operating under their existing contracts for up to one year beyond the compliance date of the revisions to the Rules. See id. at 87-88.

Regarding the use and disclosure of PHI where valid authorization is required, the proposed rule would add an addition circumstance to the existing two circumstances in current regulations where such authorization is necessary. Currently, authorization is required for (1) most uses and disclosures of psychotherapy notes; and (2) uses and disclosures for marketing. In accordance with the third circumstance added by the HITECH Act – the sale of PHI – HHS proposes to add a new section to the regulations that would require a covered entity (or business associate) to obtain authorization for disclosure of PHI that is in exchange for director or indirect remuneration, unless a specified exception applies. See id. at 91-99.

Proposed Amendments to the Security Rule

HHS proposes a number of changes to the Security Rule including technical modifications as well as modifications to references to business associates, administrative safeguards, and organizational requirements. See id. at 56-64.

Effective Date and Compliance Period

Although most of the provisions of the HITECH Act already became effective February 18, 2010, HHS recognized that it will be difficult for covered entities and business associates to comply with the statutory provisions until after HHS has finalized its changes to the HIPAA Rules. As such, HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with “most of the rule’s provisions.” Id. at 13. This proposed 180-day compliance period, however, will not apply to the HIPAA Enforcement Rule “because such provisions are not standards or implementation specifications,” and thus, these provisions will be in effect and apply at the time the final rule becomes effective or as otherwise provided. Id. at 15.

¹HHS “Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act” (July 8, 2010) Display copy, available here [hereafter, “HHS NPRM”].

² Note: “Privacy Rule” refers to the Standards for Privacy of Individually Identifiable Health Information; the “Security Rule” refers to the Security Standards for the Protection of Electronic Protected Health Information; and the “Enforcement Rule” refers to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings, issued under HIPAA.

³ Several sections of the HITECH are not discussed in detail in these regulations either because they have been the subject of previous rulemakings (e.g., breach notification), or will be the subject of future rulemakings (e.g., accounting for disclosures requirement, and the penalty distribution methodology requirement.)

Tags: HIPAA, HITECH, Healthcare Industry Spotlight, business associate, regulations, subcontractor

Compliance Week's "Must-Read: Major HIPAA Changes Out For Comment"

Posted on July 9, 2010 by Colin J. Zick

I shared some of my initial thoughts about the new HITECH/HIPAA regulations with Melissa Klein Aguilar for her blog, "The Filing Cabinet," in today's on-line edition of Compliance Week.

Tags: Compliance Week, HIPAA, HITECH, Healthcare Industry Spotlight, Melissa Klein Aguilar, regulations

HHS Issues a Notice of Proposed Rulemaking to Modify the HIPAA Privacy, Security, and Enforcement Rules

Posted on July 8, 2010 by Colin J. Zick

Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted. The propose changes include:

provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;
establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans; and
expanding HIPAA’s enforcement provisions to business associates.

HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s standards (but apparently that additional time does not extend to its proposed enforcement provisions).

The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at Regulations.gov.

We are still reviewing the 234 pages of proposed regulations and will have more to say about them shortly.

Tags: HIPAA, HITECH, Healthcare Industry Spotlight, business associate, notice of proposed rulemaking, regulations

Connecticut Attorney General Reaches First State HIPAA Settlement with Health Net

Posted on July 7, 2010 by Colin J. Zick

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.

The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health ("HITECH") Act authorized state attorneys general to enforce HIPAA. The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:

· A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.

· A $250,000 payment to the state representing statutory damages.

· An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

Tags: Government Enforcement, HIPAA, HITECH, Health Net, Richard Blumenthal, enforcement, settlement

Update on HIPAA Business Associate Regulations -- OCR Says They Still Aren't Ready, Gives No Date

Posted on March 18, 2010 by Colin J. Zick

In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services ("OCR") acknowledged its delay in issuing regulations for HIPAA business associate agreements. Those regulations are now a month overdue and from OCR's language, they do not appear imminent:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

(Emphasis added.) What does seem clear from this notice is that OCR enforcement of the underlying law is not imminent and that more guidance on that will come when the regulations are issued.

Tags: HIPAA, HITECH, Legislation & Regulation, OCR, business associate, regulations

HIPAA Breach Notification Made Simple -- Just Fill in the Blanks

Posted on December 7, 2009 by Colin J. Zick

The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.”

The online form is straightforward, featuring pull-down options tied to the new HITECH rules: it will let you report whether your breach is for more than 500 individuals (or fewer than that), the type and location of the breach, etc. OCR estimates the form will take 15-30 minutes to complete.

Interestingly, the form does not require a statement on penalty of perjury from the submitting party, only a statement that “I attest, to the best of my knowledge, that the above information is accurate.” This could be seen to be an attempt to encourage reporting, by not saddling breach reporters with potential liability for making false statements to the government. However, it would also seem to encourage anonymous reporting, via the use of an alias.

Tags: Data Breach, HIPAA, OCR, breach reporting

Massachusetts Court Holds Disclosure of Patient Records Does Not Violate HIPAA or State Consumer Statute

Posted on October 22, 2009 by Colin J. Zick

In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident. The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault. The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.

The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.” The court held that disclosure pursuant to a court order requiring production of records constituted such a disclosure. The court also held that the sought-after records were likely to lead to admissible evidence regarding defendant’s knowledge of the alleged propensity for violence of the resident who had committed the assault and therefore ordered production of the records. [Thanks to Foley Hoag's Eric Haskell for this entry.]

Tags: 93A, HIPAA, Healthcare Industry Spotlight, consumer protection, court order

Incident of the Week: Russian Company Proves That WiFi/Wireless Networks No Longer Secure

Posted on October 15, 2009 by Gabriel M. Helmer

ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia. This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted with the WPA or WPA2 algorithms. British security consultancy Global Secure Systems says that this is "extremely worrying" and has indicated that this means that WiFi networks are no longer secure.

Decrypting wireless traffic by guessing the encryption key, a "brute force" decryption, has been a possibility for some time; however, the computing power of most personal computers has prevented this from becoming a realistic threat (e.g., a computer attempting to guess the right password might take months or years to guess correctly). New leaps in computing power has changed this landscape. Computer graphics card companies like Nvidia have opened up the computing power bottleneck by allowing developers to run programs on high-powered parallel processors used in consumer graphics cards. The end result is that buying a new video card and a $1,200 software package reportedly could speed up a brute force decryption 10,000 percent (and the same graphics card will let you play the newest PC games and speed up a variety of other, more innocent applications like Adobe Photoshop). As a result, our use of wireless networks, everything from passwords to email, could be intercepted and decrypted relatively easily.

David Hobson of Global Secure Systems indicates that anyone with a high-end graphics card has “a machine capable of tumbling wireless keys out of the ether and decrypting them in a matter of hours rather than months." In an interview with SC Magazine, Hobson takes the view that additional security measures, such as running an encrypted VPN (Virtual Private Network), are now necessary to comply with the UK Data Protection Act. Similarly, U.S. companies in the EU Safe Harbor Program or complying with U.S. information security rules, such as Gramm Leach Blilely Act regulations, HIPAA or federal and state identity theft rules, need to consider whether their wireless networks are appropriately secured against this threat. Businesses transferring regulated information on WiFi networks may need to adjust their information security programs and practices accordingly.

Links:

Tags: Data Protection Act, David Hobson, ElcomSoft, Encryption, GLBA, Global Secure Systems, HIPAA, Incident of the Week, Safe Harbor Program, WiFi, password, wireless

Adding to the Patchwork: HITECH Act Sets New "Floor" for Data Breach Notification of Certain Patient Information

Posted on February 19, 2009 by Ramzi Ajami

On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.

If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.

The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.

What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients' health information.

A prime example of these "patchwork" state laws are recent security breach notification requirements that regulate personal information. If the medical records that you manage also contain social security numbers or financial account information (data that state laws typically recognize as "personal information"), both the HITECH Act and this patchwork of state laws may govern. Currently, forty-four states (including the District of Columbia, the Virgin Islands and Puerto Rico) have enacted some form of a notification requirement for data breaches of personal information. (The six states without laws on their books are Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.) However, the definition of "personal information," and the extent, substance, and timing of notification vary from state to state. As a result, data breaches involving patient information can be subject to a wide variety of federal and state law. While the HITECH Act raises the bar, it does little to unify this area of law.

The HITECH Act provides a "floor" for notification requirements regarding any security breach of patients' "unsecured protected health information." The definition of "protected health information" (or "PHI") is imported from HIPAA, and generally includes any part of a patient's medical record or payment history. The definition of "unsecured" PHI is broadly defined and generally means any PHI that is not secured by technology rendering that information unreadable or unusable in an accredited manner. The Secretary of Health and Human Services has been charged with issuing more definite guidance within 60 days.

The HITECH Act's security breach notification requirements specify the timing, manner, and substance of any breach notification, among them:

notifying the Secretary of Health and Human Services "immediately" if the breach is with respect to 500 or more individuals;
notifying each individual whose unprotected health information is reasonably believed to have been accessed, acquired, or disclosed as a result of the breach;
providing notice to prominent media outlets in each State where the unsecured protected health information of 500 or more residents is reasonably believed to have been accessed, acquired, or disclosed as a result of the breach;
completing all notifications to affected individuals and media, if applicable -- "without unreasonable delay and in no case later than 60 days," unless delayed notification is authorized for certain law enforcement purposes (so as not to "impede a criminal investigation or cause damage to national security");
specifying in each notification to an individual a description of what happened, the types of information believed to have been accessed, and contact procedures for affected individuals to ask questions or learn more information; and
requiring all affected entities to provide the Secretary of Health and Human Services an annual log tracking every breach.

While all affected entities will need to update their notification protocol to comply with these requirements, affected entities in those six states that do not require data breach notification (Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota) will have some significant catching up to do.