HIPAA - Maintain Accountability for Electronic Media

Maintain Accountability for Electronic Media

Electronic media - which is just a fancy way of saying tape for the most part. Although there are other somewhat riskier technologies out there like thumb drives and memory sticks that do present challenges, we will focus on magnetic tape.

Patient data is stored on electronic media today and that data needs to be backed up or replicated as part of a sound disaster recovery plan. Even though replication is an excellent way of keeping the data in house, it is still a rather expensive solution as compared to the cost of tape.

As the responsible IT person or CIO/CTO, one of  your jobs is to make sure the data gets backed up and stored in a secure location where it can be used to bring your organization back to life in case of a catastrophic failure at the production site. Unfortunately, this process puts the user data at risk. Once it leaves the building it has the potential for being lost or stolen. If it does - bad things happen and they happen to you.

Here are a few examples where bad things happen to good people -

A backup tape containing the dates of birth, medical records and Social Security numbers of more than 16,000 held by the Department of Veterans Affairs Regional Counsel Office in Indianapolis. The VA might offer credit monitoring for anyone who could have been impacted by the security breach. The incident occurred two days after a laptop containing the personal information of more than 26 million veterans was reported stolen in Maryland. ("Veterans records tape missing from Indy office," TheIndyChannel.com, June 29, 2006)

The Government Accountability Office issued a report calling for Medicare to exercise more oversight over how private plans transmit personal health records. Nearly half of all Medicare Advantage contractors surveyed reported breaches of private health records during the last two years. Information breaches most often occur when private contractors outsource health records to other companies for additional processing. According to GAO, 90 percent of Medicare contractors reported outsourcing health records domestically in 2005. (Perrone, M., "GAO urges more Medicare plan oversight," Houston Chronicle, September 5, 2006)

One employee fired and three resign for Providence Home Services in connection with a theft of backup tapes in late December 2006 which affected the patient records of 365,000 hospice patients. Social Security numbers were associated with all of the records and financial information on most. In 2008, PHS agreed to pay a $100,000 HIPAA fine.

Is there a solution to this problem?

There is a solution to this problem and Abtech has taken the mystery out of it with DataTrust. DataTrust/Tape is part of a comprehensive line of trusted data protection products that include encryption, Life Cycle Management (DataTrust/LCM), Content Addressable Storage (DataTrust/CAS) and virtual desktops (DataTrust/VDI). Products that can address the needs of any organization where compliance and risk management are required parts of the data eco-structure.

DataTrust/Tape is a complete package of hardware and software that can be plugged into a data environment in less that one day and can economically resolve your off-site storage requirements. What are your offsite requirements?

Here are excerpts from the HIPAA standards:

Regulations/Standards: Within 60 days of enactment, the Secretary must specify the technologies that render data unusable or unreadable. By August 18, 2009, the Secretary is required to promulgate interim final regulations to implement the breach notification requirements.

Effective Date: Applies to breaches that are discovered on or after 30 days after interim final regulations are promulgated (September 18, 2009).

ARRA Section 13402 requires that covered entities provide notification to individuals if their health information has been breached (business associates are required to notify covered entities of any breaches; the covered entity must then notify the individual per the requirements).

In determining whether or not notice is required, two questions are relevant: (1) did it qualify as “breach” under the breach definition, and (2) was the information protected by an encryption‐like technology.

Only breaches of “unsecured” health information trigger the notification requirement. Similar to California law, which does not require notification if the information is encrypted (as long as the encryption has not been compromised), a breach of information that has been rendered “unusable, unreadable or indecipherable to unauthorized individuals,” using a technology or methodology specified by the Secretary, does not trigger the notification requirement.

If the breach notification requirement goes into effect and the Secretary has not yet issued guidance, information that is protected by technology that renders information unusable, unreadable or indecipherable and that is developed and endorsed by a standards developing organization accredited by ANSI will qualify for this “safe harbor.”