HITECH Risk for LTC Data Systems
At a glance…
Compromising resident data-health, insurance, and financial-could result in undetected identity theft. Policies must be developed and enforced to guard Protected Health Information.
Nearly all long-term care provider organizations use one or more computer systems to support their clinical and business operations. Indeed, all nursing facilities are required to encode and transmit sensitive personal health data for all residents using the Minimum Data Set (MDS); all home health agencies must encode and transmit similar information for all Medicare residents using the OASIS system. Nearly all providers must encode and transmit claims and financial data, often required by payors and state regulatory agencies. Compromise of these data to unscrupulous parties invites identity theft that would be very difficult to detect and correct.
If the data that leads to such theft came from a computer controlled by an organization or a business partner, there are now severe consequences to the organization-and the business partner! A new act packaged with the stimulus bill specifies the notification requirements, the penalties for breaches, and extends the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to business partners. The act also provides a safe harbor if organizations take specific precautions.
To protect everyone whose medical/health records are stored on computers, the Health Information Technology for Economic and Clinical Health (HITECH) Act of the American Recovery and Reinvestment Act of 2009 (AARA), commonly referred to as the stimulus bill, requires notification of all parties whose information has been compromised by unauthorized release. If the entities subject to the regulations apply the technologies and methodologies specified by the National Coordinator for Health Information Management and the Centers for Medicare & Medicaid Services they will not be required to provide the notifications otherwise required by the regulations in the event the information is breached. The reason for not requiring notification is simple-the data will be in a form that will be unusable, unreadable, or indecipherable to unauthorized parties through encryption and other safeguards. The standards for encryption are those that are consistent with the National Institute of Standards and Technology (NIST.) NIST has published the Guide to Storage Encryption Technology for End User Devices. A second methodology is to destroy the paper or electronic media in a manner that Protected Health Information (PHI) cannot be read or reconstructed. Destruction should be performed using techniques consistent with NIST standards. NIST has published Guidelines for Media Sanitization. Both documents are available for free download from NIST at https://www.nist.gov/index.html.
If a breach of data occurs that has not been secured as above, the covered entity must notify all affected individuals not later than 60 days after the breach is discovered. If more than 500 individuals’ PHI has been compromised, the media and the Secretary of the Department of Health and Human Services (HHS) must be notified of the breach. If the breach occurs by a business partner, the covered entity must still make the notifications. Clearly, complying with the encryption and destruction standards would save massive complications for providers
PHI must be secured both at rest and in use. Remember the definition of PHI includes data on paper that is stored or created electronically. Data in use includes access by users and transmission to other entities. Data breaches could consist of breaking into the computer network; unauthorized viewing of PHI; losing or stealing a laptop, thumb drive, or PDA; interception of data on an unsecured wireless network; misplacing a backup media; an e-mail or fax going astray; and any number of other scenarios. To mitigate risk, PHI must be secure at all times. The HITECH Breach Rules were effective September 23, 2009. The text of the HHS rule is available at https://edocket.access.gpo.gov/2009/E9-9512.pdf. HHS has said it will not enforce sanctions for noncompliance until 180 days after the publication of the rule (August 24, 2009). Breaches discovered after the September 23 date must result in notification of affected individuals.
Applied to LTC computer systems
The HITECH Act does not require encryption of PHI. However, it does require notification if breached data is not strongly encrypted or destroyed in compliance with specified standards. These safe harbor provisions may be met by the covered entity’s computer system and security practices to provide cover from severe civil monetary penalties. Willful neglect (newly introduced in the HITECH Act) carries up to a $1.5 million penalty. The following considerations should be addressed by organizations that wish to take advantage of the safe harbor provision.
Today’s nursing home and home care information technology (IT) approaches encompass several alternate architectures, often more than one in a facility. Some are based on very old (in data processing terms) technology that may not be capable of meeting the specified encryption standards. Other new technology may engender other risks since data is constantly in motion, and is at rest outside of the facility or agency. Administrators and IT staff must assess the risks of their systems, plan for mitigation, and ensure business associates do their parts. Taking advantage of the benefits of the safe harbor provision may require changes in operations and possibly replacement of components or whole systems.
Access to PHI by support technicians is a risk in all architectures. The vendor must be able to troubleshoot issues; however, all PHI a vendor acquires as part of the maintenance must be logged, protected, and destroyed in accordance with agreed upon policies and procedures. Any technician access must be time limited and, ideally, performed under the supervision of facility IT staff. Vendors should give written assurances that there are no “back doors” or other avenues of unauthorized access into their software or databases.
The following discussion of alternative architectures must be amplified by the need for operational security in all settings. All devices used by an organization must have any PHI residing on them protected. Policies must be developed and enforced to protect all spreadsheet and local database applications that use PHI, or prohibit their use. Passwords must be controlled and changed according to good practice, and an absolute prohibition against sharing passwords must be enforced.
Stand-alone wired systems
Small operations may have a simple system of a PC or a small wired network that is dedicated to the operation. Facilities must work with their vendor to ensure their data is secure at rest and in use according to both HIPAA and HITECH standards. In most cases, the data at rest can be protected through database encryption for some databases such as Oracle or MS SQL. Other databases such as ACCESS may not meet the NIST standards, but can still be protected with hardware encryption of the hard drive.
The use of removable data storage, including floppy, CD, DVD, USB hard drives, and data sticks must be controlled. Data copied to media that may leave the control of the organization should be encrypted according to NIST guidelines. Backup media stored offsite should be encrypted and stored in an appropriate secure location. Rigid backup policies must be in place to meet the data availability HIPAA requirements.
Wired systems can include laptops and personal data assistants (PDAs). If your system does, consider the risks in the next section as well.
A part of the risk assessment review should be verification of vendor-supplied encryption. Specifically, if the key is stored along with the data (common when a product is in Wake-on-LAN mode), the data protection may be less than the NIST guidelines require. All workstations connected to the system should be assessed and protected as appropriate.
Stand-alone wired and wireless systems
All of the above plus: Wireless systems expand the risks of compromise of PHI through theft of data in use if the network is not strongly encrypted. In addition, wireless devices are almost always portable and usually contain a data storage component. PHI can be breached if a device is lost or stolen. Hard drives can be protected through whole disk encryption or, in some cases, by boot sector and hard disk passwords. However, to be compliant with the NIST guidelines, encryption may be required.
Wide Area Network systems
The latest architecture is Internet-based systems in which the programs and data are stored on servers accessed through Internet connections. This architecture provides many benefits to users, but also introduces some additional points of vulnerability. Backups are performed at the server, program updates are simplified, and hardware requirements at the facility are reduced.
All remote systems require high-speed, reliable, and secure communications. Ideally, all PHI is encrypted at the source before transmission by secure socket technology, and results returned encrypted to the facility to eliminate compromise during transmission. The HITECH Act now subjects vendors (who must be classed as business associates) to many of the HIPAA security and privacy requirements. Verify that the protocols used by vendors comply with the NIST guidelines.
System designs vary on the amount of local processing vs. server processing that takes place. Some systems store temporary recovery data locally in the event of communications failure to enable continued operation. Only the vendor knows for sure what is where. Include the vendor in the risk assessment and verify the security of any PHI that resides in the facility.
Steps to take
Develop, implement, and enforce a Breach Notification policy and process. This must include procedures intended to discover breaches. Remember that breaches discovered after September 23, 2009, must result in notification of individuals affected.
Update Notice of Privacy Practices to reflect changes in privacy and security policies.
Update HIPAA privacy and security policies to reflect the HITECH requirements.
Update staff training on privacy and security policies and procedures.
Expand business associate lists to include vendors and others with access to PHI.
Modify all business associate agreements to include the business associates’ increased responsibilities under HIPAA. Formerly, business associates were not included in HIPAA. Now they are directly subject to many of the HIPAA privacy and security requirements. Covered entities should verify that business associates will satisfy the new HIPAA/HITECH requirements.
Consider specifying that the business associate agrees to meet the NIST guidelines by a specific date, and then get assurances in writing on that date that their systems comply with those guidelines
Perform a new in-depth risk analysis of all locations of PHI at rest and in use for the covered entity. Remember that paper derived or generated from computer sources must be handled as PHI and protected and/or destroyed in accordance with NIST guidelines.
Several vendors of nursing home computer systems are based outside of the United States. Recommend facilities verify with legal counsel that the contracts with business associates based outside of the United States contain appropriate language regarding compliance and responsibility for protecting PHI according to HIPAA and HITECH standards to protect the facility in the event of a breach.
Cost of compliance or not
Complying with the HITECH requirements of the stimulus bill requires effort and will affect operations. Systems may have to be replaced, remote support may be more complicated, and administrative and staff time will be consumed. Not complying may result in breaches of personal information leading to identity theft and significant additional costs and embarrassment to the facility or agency that chooses not to comply. Doing nothing is not an option: Willful neglect carries the most severe penalties.
Disclaimer: The issues raised in this article have serious implications for providers of long-term care (covered entities) and their business partners (vendors). We strongly recommend obtaining competent legal counsel regarding these issues and assessing/mitigating the attendant risks. Some states have additional requirements that may also need to be met. This article is not to be relied upon as legal advice.
To send your comments to the editor, e-mail firstname.lastname@example.org
Topics: Technology & IT , Uncategorized