|
|
|
||
|
Request Literature or Live Web-based Demo
WHO WE ARE
PRODUCTS
SERVICES
WHAT'S NEW
DEMOS
HOT LINKS
FEEDBACK |
Computers in Medicine Online (sm) ___________________________________________________ Computers in Medicine (sm) - Online Newsletter is a quarterly online newsletter on computer applications for the medical profession (Published on the Web since 1996) 3rd Quarter '2010 Edition ___________________________________________________ 7/7/2010 HIPAA HITECH -
the Focus on Encryption
Details of HIPAA and these rules are available here.
The importance of encryption under HIPAA HITECH: The American Recovery and Reinvest Act (ARRA) of 2009 included what is known as the Health Information Technology for Economic and Clinical Health Act, otherwise known as simply the HITECH Act. The HITECH Act basically addresses privacy and security concerns related to electronic healthcare information. It included financial incentives for the adoption of EMR systems and penalties for non-adoption. It also extended the HIPAA Privacy and Security Rules to include business associates of covered entities, and included newly updated civil and criminal penalties, along with new breach notification requirements. These enhancements to the Privacy and Security Rules makes encryption a key component of HIPAA compliance, which is the focus of this article. Understanding the new regulations concerning Protected Health Information (PHI) is crucial in uncovering how significant encryption is in regards to HIPAA/HITECH compliance. According to the U.S. Dept. of Health and Human Services (HHS), PHI is classified as follows:
Note that by the definition of Unsecure PHI, any PHI that is not encrypted is considered unsecure. This means that it doesn't matter how many locks or biometric devices you have on your filing cabinet containing your non-encrypted PHI, it is considered to be unsecure. Once again, the only secure PHI is encrypted PHI. The penalties that have been established under the HITECH Act's breach notification requirements are financially significant. The penalties now in place can be as high as $50,000 (for violations of willful neglect that the organization did not correct) for each violation, not to exceed $1,500,000 per calendar year. Under the HITECH Act, all HIPAA covered entities are required to send notification letters if there has been a breach of unsecured PHI. According to the HHS, the use of encryption can grant safe harbor in the event of a breach. This is because encrypted PHI is "Secure PHI", and not "Unsecure PHI" (a true breach can only occur if it involves Unsecure PHI. The encryption method to be used must be approved by the National Institute of Standards and Technology (NIST). Encrypted data is looked at in 2 ways:
For Data in Motion, a valid encryption process must comply with Federal Information Processing Standards (FIPS) 140-2. This is fairly easy to accomplish since there are many vendors that offer FIPS 140-2 validated products. For Data at Rest, NIST specifies the use of FIPS-approved algorithms contained in validated cryptographic modules, and recommend the use of Advanced Encryption Standard (AES) for the encryption algorithm due to its speed and strength. The use of self-encrypted hard drives that are FIPS 140-2 certified are ideal here. There are few of these hard drives currently on the market, but they are expected to become widely available soon. Safe harbor can only be achieved as long as these strict standards and guidelines are adhered to. The use of proper encryption technologies permit doctor's offices, companies, and organizations to secure their sensitive PHI data, thus avoiding breach notifications and the hefty financial penalties that accompany them! ___________________________________________________ There was an overwhelming interest in the issue regarding Practice Management Systems and Electronic Medical Records. Click here to read it. ___________________________________________________ If you have any questions or comments regarding this issue, use our feedback form. ___________________________________________________ Last Update: 7/7/2010 Copyright and disclaimer © 1995 - 2010 - Brickell Research, Inc. - All Rights Reserved.
|
||