This slide deck focuses on providing stakeholders an example of how tacit knowledge is transferred into explicit knowledge through a review of our upcoming Breach Notification Wizard release; soon to be incorporated into Expresso: The Risk Assessment Express.
2. Carlos Leyva, Esq.
CEO, 3Lions Publishing, Inc.
HIPAA Survival Guide Publisher
www.hipaasurvivalguide.com
Attorney and Managing Partner
Digital Business Law Group, P.A.
Internet Law
www.digitalbusinesslawgroup.com
2
3. Agenda
• Introduction
• Breach Notification:
• When is it Triggered?
• Notification to Stakeholders?
• Tracking Security Incidents?
• Knowledge Management
• Q&A
3
7. Notification Analytical Framework
1.Was there an impermissible use or
disclosure of unsecured PHI?
2. Does an exception to the breach rule
apply?
3. Is there a low probability that the
protected health information was
compromised?
See our Breach Notification Framework
7
8. Impermissible use or disclosure of
unsecured PHI?
Two component parts to this
question: 1) Impermissible use or
disclosure; and 2) Unsecured
PHI?
8
9. What is unsecured PHI?
Unsecured PHI: protected health
information that has not been
rendered unusable, unreadable, or
indecipherable to unauthorized
individuals through the use of
encryption or destruction.
9
10. PHI States & HHS Encryption Guidance
State of PHI Specification to Meet or Exceed
PHI at Rest NIST Special Publication 800–111, Guide to Storage
Encryption Technologies for End User Devices
PHI in Motion NIST Special Publications 800–52, Guidelines for the Selection and Use of
Transport Layer Security (TLS) Implementations; 800–77, Guide to IPsec
VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal
Information Processing Standards (FIPS) 140–2 validated.
PHI Disposed The media on which the PHI is stored or recorded has been destroyed in
one of the following ways: (i) Paper, film, or other hard copy media have
been shredded or destroyed such that the PHI cannot be read or otherwise
cannot be reconstructed. Redaction is specifically excluded as a means
of data destruction.
(ii) Electronic media has been cleared, purged, or destroyed consistent with
NIST Special Publication 800–88, Guidelines for Media Sanitization, such
that the PHI cannot be retrieved.
PHI in Use Data in use is data in the process of being created, retrieved, updated, or
deleted. HHS did not issue guidance regarding PHI in Use, however
standard access control technologies should suffice.
10
11. What is an impermissible use or
disclosure?
An impermissible use or
disclosure is one that
violates the HIPAA Privacy
Rule…
11
15. 15
What is the bottom line?
If PHI is secured according to
the Secretary’s guidance then
breach notification will never be
triggered by definition.
Essentially, securing PHI
according to the guidance
provides the ultimate breach
notification “safe harbor.”
16. 16
Security Rule Implications?
• The Security Rule (“SR”) suggests but does NOT mandate
the use of encryption and related technologies in order to
secure PHI. See §164.312 (e) Technical safeguards.
• A covered entity or business associate may be in
compliance with the Security Rule despite the fact that
technologies recommended by the Secretary are not used.
• However, if the recommended technologies are not used then
the PHI in question will be treated as unsecured and
therefore breach notification may be triggered. See the
Breach Notification Framework.
17. 17
Security Rule Implications?
• The practical reality is that business associates and covered
entities will likely have some PHI encrypted (e.g. where an
EHR vendor provides it as part of their offering) while other
PHI will remain in paper form or stored electronically but not
encrypted.
• From a Security Rule compliance perspective, it is critical that
the Required Security Rule Risk Analysis should capture
where encryption and related technologies have been
applied so as to facilitate a subsequent breach notification
analysis. See §164.308(a)(1) (Administrative safeguards).
18. 18
NIST Publication 800-111
• This is the NIST document that pertains to PHI at Rest.
• PHI at Rest is best thought of as PHI that is “stored” in end user devices
(e.g. desktops, laptops, etc.), in file and database servers, in consumer
devices (e.g. personal digital assistance, smart phones, etc.) and in
removable storage media (e.g., USB flash drives, memory cards, external
hard drives, writeable CDs and DVDs).
• PHI at Rest represents the “lion’s share” of the PHI that requires
protection. It also represents the most significant challenge in terms of
cost and operational complexity, especially because of the explosion in
consumer devices and removable storage media.
• Assume that not all PHI at Rest will be encrypted as required anytime in
the foreseeable future, and plan accordingly. For example, the amount of
paper based PHI not subject to encryption will remain significant for
many years to come. Further, even a substantial amount of electronically
stored PHI may remain “unsecured” due to operational considerations.
19. 19
NIST Publication 800-52
• This is the NIST document that pertains to PHI in Motion.
• PHI in Motion is best thought of as PHI that is “moving across the wire”
either between applications that are communicating over the Internet or
between applications communicating within the organization’s Intranet.
• The technology that NIST recommends for securing PHI in Motion is
Transport Layer Security (“TLS”). TLS is a protocol created to provide
authentication, confidentiality and data integrity between two communicating
applications.
• TLS protects PHI in Motion at the transport layer of the ISO seven-
layer communications model (also known as the seven-layer stack) and
thereby allows two applications communicating PHI across the wire to
secure communications without the need for intermediaries to participate.
• The TLS protocol specifications use cryptographic mechanisms to
implement the security services that establish and maintain a secure
TCP/IP connection. The secure connection prevents eavesdropping,
tampering, or message forgery and thereby protects PHI in Motion from
unauthorized use.
20. The ISO Communications Stack
Application
Session
Internet / Intranet(IP)
Application
Presentation
Session
Network (IP)
Physical
Data Link
TLS
TCPTransport
Application
Presentation
Session
Network (IP)
Physical
Data Link
TLS
TCP
Transport
TLS protects PHI in Motion across the wire
22. 22
NIST Publication 800-88
• This is the NIST document that pertains to PHI Disposed or “sanitized.”
• When storage media are transferred, become obsolete, or are no longer
usable or required by an information system containing PHI, it is important to
ensure that residual magnetic, optical, electrical, or other representation of PHI
that has been deleted (assuming that it has) is not easily recoverable.
• Sanitization refers to the general process of removing data from storage
media, such that there is reasonable assurance that PHI may not be easily
retrieved and reconstructed.
• Covered entities and business associates must sanitize information system
digital media containing PHI using approved equipment, techniques, and
procedures prior to its release outside of the organization or if made available
for alternative uses internally
• Covered entities and business associates must track documents and
sanitization and destruction actions and periodically tests PHI sanitization
equipment/procedures to ensure correct performance.
23. 23
Sanitization Methods
Method Description
Clearing Clearing is a method that protects the confidentiality of PHI
against a robust keyboard attack. Simple deletion of items
would not suffice for clearing. Clearing must not allow
information to be retrieved by data, disk, or file recovery utilities.
Clearing uses “overwrite” technology to remove all traces of PHI
preventing most (but not all) unauthorized uses.
Purging Purging is a sanitization method that protects the confidentiality
of PHI against a laboratory attack. A laboratory attack involves
a threat with the resources and knowledge to use nonstandard
systems to conduct PHI recovery attempts on a device outside
its normal operating environment. Degaussing is an example of
a technology that can be use for purging.
Destroying Destruction of PHI is the ultimate form of sanitization. After PHI is
destroyed, it cannot be reused as originally intended. Physical
destruction can be accomplished using a variety of methods,
including disintegration, incineration, pulverizing, shredding,
and melting depending on the media.
27. Does a Breach exception apply?
• At this point you have determined that there has been an
impermissible use or disclosure of unsecured PHI
• Three Exceptions
1. Under certain conditions—any unintentional
acquisition, access, or use of PHI by a workforce
member or person acting under the authority of a CE
or a BA…if no further use or disclosure is
contemplated
2. Any inadvertent disclosure by a person who is
authorized to access PHI at a CE or BA to another
person authorized to access PHI at the same covered
entity or business associate…
3. A disclosure of PHI where a CE or BA has a good faith
belief that an unauthorized person to whom the
disclosure was made would not reasonably have
been able to retain such information.
27
28. What is the probability?
• At this point you have determined that no breach exceptions
apply and therefore what remains to be determined is whether
a there “was a low probability that the PHI in question was
compromised?”
• Risk Analysis Approach (“RA”)—Four Factors
1. the nature and extent of the PHI involved, including the
types of identifiers and the likelihood of re-identification;
2. the unauthorized person who used the PHI or to whom the
PHI was disclosed;
3. whether the PHI was actually acquired or viewed; and
4. the extent to which the risk to the PHI has been mitigated.
28
29. What is the probability?
As discussed, the “Risk of Harm” analysis has been removed and
replaced with a more objective “Risk Assessment” or “RA”
approach.
Therefore, breach notification is NOT required under the Omnibus
Rule if a CE or BA demonstrates through the RA, that there is a
low probability that the PHI has been compromised, rather than
having to demonstrate that there is no significant risk of harm to the
individual, as was provided for in the IFR.
29
30. • If there is not a low probability of compromise
then notification is mandated
Analytical Framework Revisited
30
49. We provide the
recipe and not just
the ingredients…
store.hipaasurvivalguide.com
www.hipaasurvivalguide.com
3Lions Publishing, Inc. 800-516-7903
49
56. Carlos Leyva
CEO, 3Lions Publishing, Inc.
Selected Products
1. HSG Subscription Plan $2,495
2. Comprehensive Training Modules
3. Business Associate Contract
4. Privacy Rule Checklist
5. Security Rule Checklist
6. CSMM Checklist
7. Breach Notification Framework
AGILE Products
Benefits
• Live links to statutes and regulations
• Easy to understand & actionable
• Customizable to your requirements
• Reusable
• Save thousands on legal & technical
consulting fees
store.hipaasurvivalguide.com
www.hipaasurvivalguide.com
3Lions Publishing, Inc. 800-516-7903
56
57. Thank you for attending
Questions may be sent to support@3lionspublishing.com
57
store.hipaasurvivalguide.com
www.hipaasurvivalguide.com
3Lions Publishing, Inc. 800-516-7903