in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Medical Data Security: Will 2012 Finally See the Final Rule To HITECH?

The Senate Judiciary Subcommittee on Privacy, Technology, and Law recently asked a number of questions to the Department of Health and Human Services (HHS) and the Department of Justice (DOJ):

  • What's holding back the Final Rule to the HITECH Act amendment to HIPAA?
  • Why is enforcement of current medical privacy laws so lackadaisical?

While the Interim Rule has been successful in certain areas - such as in the use of medical data encryption technology, which has increased significantly in medical settings, supposedly, and covered entities reporting their data breaches to the HHS -- there are other areas that are lagging, as medical organizations wait for a definite, final ruling.  The lack of enforcement, of course, also dissuades them from fully following the Interim Rules, which, despite the name, is the current law.

HHS, DOJ Respond

The HHS and DOJ, for their part, have noted that they are "ramping up" enforcement and pointed out past convictions:  In 2010, CVS/Rite Aid settled with the government's charges, and Massachusetts General Hospital was fined a record $1 million earlier in the year.

As to the final HITECH rules, a specific timetable has not been revealed.  However, its need and importance has been underscored by various people who've appeared before the committee.  It was pointed out that the regulations (the final rule) are necessary for progress to be made.  In fact, one person testified that

The lack of a final HITECH Rule is “a big reason” why the HIPAA Privacy and Security Rules are not being effectively enforced.  In response to a question by Senator Richard Blumenthal (D-CT),  Myrold [Privacy Officer for the Hennepin County Medical Center] speculated, “Until we actually get those final rules and people know that they’re going to actually be enforced, you’re probably not going to see a lot more compliance.” [insideprivacy.com]

That makes sense.  Take the uptake of encryption software like AlertBoot after the last Interim Rule was passed.  Although nothing is final, covered-entities have deployed them with some measure of alacrity because:

  • The Breach Notification Rule requires going public with a data breach unless protected health information (PHI) is protected with encryption
  • HIPAA's breach notification harm threshold was eliminated (the harm threshold essentially put the breached entity in charge of concluding whether the breach was significant or not) My mistake.  The harm threshold was not eliminated as of yet.  Supposedly, it's the reason why we still have the Interim Final Rule, and under it, the significant risk of harm is still applicable

In this particular case, it didn't take a genius to see what would be included in the Final Rule and what wouldn't be, especially considering the development of similar rules or laws, federal as well as state-level, that applied in other areas, such as finance and government.

Furthermore, a final law implies finality.  People wouldn't be able to make excuses that they were waiting for a definitive law.  The accounting and procuring departments wouldn't be hamstringed with trying to guess whether investments and expenditures today will mean write-offs (and possibly their heads) tomorrow because of changes in legislation.

Will we see the finally see the Final Rule in 2012?  Hopefully.  But, it goes against history.  My research shows that the original Final Rule for HIPAA's security of electronic health information was eventually published in 2003 with a compliance date of October 16, 2003, which is a full seven years from the Health Insurance Portability and Accountability Act of 1996.


Related Articles and Sites:
http://www.insideprivacy.com/senate-hearings-focus-on-lack-of-hipaa-enforcement-final-hitech-rule/

<Previous Next>

Data Encryption Software: Using Your Bum As A Password?

Data Encryption: Stratfor Stored Credit Cards In Plain Text

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.