BREACH REPORT 2013: Protected Health Information (PHI)

ANNUAL BREACH REPORT
www. redspin. com
BREACH REPORT 2013:
Protected Health Information (PHI)
February 2014
Meaningful Healthcare IT Security®

2013 BREACH REPORT: PROTECTED HEALTH INFORMATION (PHI)
 2014 Redspin, Inc. www. redspin. com Page 2
Table of Contents
Executive Summary ................................................................................................................... 3
By the Numbers ......................................................................................................................... 4
Discussion of Results ................................................................................................................. 5
The Trend is Not Your Friend ..................................................................................................... 6
Big Data (Breach) ...................................................................................................................... 7
Thievery, Inc. ............................................................................................................................. 9
Boo-Yah for BA's (and for OCR) ...............................................................................................10
Left to Their Own Devices .........................................................................................................12
A Prescription for Security Health..............................................................................................13
Conclusion ................................................................................................................................16
List of Tables
Table 1: Total Large PHI Breaches and Records Impacted, 2010-2013 (adjusted) .................... 6
Table 2: Largest PHI Breaches, 2013 ........................................................................................ 8
Table 3: PHI Data Breaches by Type, 2013 ............................................................................... 9
Table 4: Large PHI Breaches/Records Involving Business Associates, 2009-2013 ...................10
Table 5: PHI Data Breaches by Devices, 2013..........................................................................12

Executive Summary
A total of 804 large breaches of protected health information (PHI) affecting over 29.2 million patient records1 have been reported to the Secretary of Health and Human Services (HHS) since the 2009 HITECH Act (Health Information Technology for Economic and Clinical Health) went into effect. HITECH originally included the breach reporting requirement in the interim final breach notification rule in September 2009. It was later amended and included in the HIPAA Omnibus Rule with effect from March 23, 2013.
This is Redspin's 4th annual Breach Report / Protected Health Information. At the conclusion of each year, we analyze the complete statistical data set of breaches that have been reported to HHS since 2009. In the report, we assess the overall effectiveness of the current policies and controls designed to safeguard protected health information. In the current year, we identify significant trends and draw attention to the specific areas most in need of improvement. Then we offer Redspin’s recommendations for preventive measures and corrective action to address any critical gaps and weaknesses. Our goal is to help the healthcare industry continually improve its ability to protect patient information. We hope that our report makes an important contribution to that end.
1 These numbers include breaches that affected >500 individuals and were reported to HHS from August 2009 to December 16, 2013. Those that impacted less than 500 are also reported to the HHS on an annual basis but the specifics are not made publicly available.

By the Numbers
804
breaches of protected health information since 2009
29,276,385
patient health records affected by breach since 2009
7,095,145
patient health records breached in 2013
137.7%
increase in the number of patient records breached in 2012-2013
85.4%
percent of the total records breached in 2013 resulted from the 5 largest incidents
4,029,530
records breached in the single largest incident
83.2%
of 2013 of patient records breached in 2013 resulted from theft
22.1%
of breach incidents in 2013 resulted from unauthorized access
35%
of 2013 incidents were due to the loss or theft of an unencrypted laptop or other portable electronic device
~ 20%
of PHI breaches have involved a business associate each year from 2009-2013

Discussion of Results
The migration from paper-based files to electronic health records (EHR) is well underway. The number of hospitals that have adopted EHR systems has more than tripled since 2009. The EHR Meaningful Use Program, which offers incentives for the implementation and use of electronic health records, has attracted 93% of eligible hospitals and 82% of eligible providers. In terms of participation and momentum, the program has been a success. Yet, during these same 4 years, nearly 30 million Americans have had their personal health information breached or inadvertently disclosed.
Data breaches can cause significant financial and reputational harm to an organization as well as undermine consumer confidence. In healthcare, that risk is not limited to an individual hospital, provider, or business associate. It is an industry-wide threat to the success of the electronic health record initiative. We believe EHRs can improve cost efficiency, care delivery, and patient outcomes – but that promise can only be realized if there is foundation of information security.
To date, the most common cause of healthcare data breaches has been the theft or loss of unencrypted portable computing devices (laptops) or digital media containing PHI. Not surprisingly, in the SANS October 2013 Inaugural Health Care Survey (sponsored by Redspin), 65% of respondents identified the risk posed by negligent insiders as their biggest concern. The proliferation of mobile devices – whether employee issued or personally owned (BYOD: bring your own device) – will exacerbate this problem. We expect employee negligence alone to continue to drive the PHI breach statistics even higher over the near term.
This should be a clarion call to the healthcare industry. The trajectory is predictable yet preventable. With PHI data on more portable devices used by more “under-educated” employees, it is a virtual certainty that there will be more breaches. Mitigating that risk must become a higher priority throughout the entire industry.

The Trend is Not Your Friend
In 2013, 199 large breaches of PHI impacting over 7 million patients were reported to HHS' Office of Civil Rights (OCR). This represents a 137% rise in the number of healthcare records affected by PHI breaches compared to 2012.
Table 1: Total Large PHI Breaches and Records Impacted, 2010-2013 (adjusted)2 2010 2011 2012 2013 Total # of Incidents Reported 212 149 192 199 Total # of Patient Records Impacted 5,434,661 10,841,802 2,983,984 7,095,145
Why the stunning increase? By comparison, 2012 had been a relatively “good” year. In retrospect, it appears that a convergence of factors in 2012 had led to an increased focus on IT security among HIPAA-covered entities. For example:
• Stage 1 of the CMS EHR Meaningful Use Incentive program inspired a number of HIPAA security risk analysis (HSRA) projects at hospitals and other providers. Redspin alone conducted HSRA's at nearly 100 hospitals in the latter half of 2011 and throughout 2012.
• OCR published their HIPAA audit protocol and completed 115 audits of various types of covered entities until putting the initiative on hold in 2013.
• High profile healthcare breaches, significant monetary penalties, and other OCR enforcement actions were frequently in the news and kept “top of mind.”
Thus, in 2012, the privacy and security safeguards envisioned in the HITECH Act, implemented and enforced by HHS, CMS, and OCR, and recently updated and finalized in the HIPAA Omnibus Rule, seemed to be having a positive impact.
2 The HHS OCR PHI breach database was recently adjusted to reflect additional breaches reported that had occurred in prior years. As such, there may be additional 2012 breaches added to the list in the future.

Not so fast. In Redspin's 2012 PHI Breach Report, we cautioned about complacency. We questioned why encryption of “data at rest” was not made a mandatory HIPAA requirement, at least on portable devices. That provision is an “addressable” (but not mandatory) requirement in the HIPAA Security Rule. When CMS was finalizing the security provisions of the Stage 2 Meaningful Use attestation requirements, there was considerable discussion about encryption. Many hoped for a change in the HIPAA law. Ultimately, CMS decided only to “shine a light” on encryption by mentioning it in the Stage 2 Meaningful Use core requirement for eligible hospitals and providers while deferring to the existing HIPAA Security Rule language (see below):
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for eligible hospitals.
We understand that “addressable” does not mean optional. In short, it means either do it or implement a compensating control. While Redspin always recommends encryption of data-at- rest on laptops and other portable devices / media, it is ultimately the provider's decision. We will help guide and document their consideration (required) and if they opt not to encrypt, we will offer our opinion of the compensating control(s) vis-a-vis their level of accepted risk.
At the end of last year's report, we concluded our discussion of encryption as follows: “It will be the future breach statistics that tell the tale.” The 2013 statistics indeed told the tale – 137% increase in patient records affected by data breach, 35% of total incidents on a laptop or other portable device, 83.2% of records breached due to theft. Had encryption been more widely deployed, many of these would not even have been required to be reported as PHI breaches.
Big Data (Breach)
The five largest PHI data breaches in 2013 made up an astonishing 85.4% of the total reported for the year. For such massive breaches to occur, it follows that protected health information must be concentrated somewhere in the IT ecosystem. Naturally these include: storage systems, EHR applications, servers, and data back-up. Indeed, one of the top five breaches involved improper disposal of micro-fiches. Another related to paper records sent to the wrong party due to a computer error allegedly made by a business associate.

Table 2: Largest PHI Breaches, 2013 COVERED ENTITY PATIENTS AFFECTED TYPE OF BREACH LOCATION OF BREACHED INFORMATION Advocate Health and Hospitals 4,029,930 Theft Desktop Computers Horizon Healthcare Services 839,711 Theft Laptop AHMC Healthcare Inc. 729,000 Theft Laptop TX Health Harris Methodist Hospital Fort Worth 277,014 Improper Disposal Other (micro-fiches) IN Family & Social Services Administration 187,533 Other Paper (computer error)
However, the three largest incidents resulted from the theft of portable (or at least “movable”) computing devices containing huge amounts of unencrypted PHI. The most egregious of these occurred at Advocate Health and Hospitals (dba Advocate Medical Group) where four desktop computers were stolen from an office that held over 4 million records. A class action lawsuit has been filed in relation to this breach.
At Horizon Healthcare Services (dba Horizon Blue Cross Blue Shield of New Jersey) two unencrypted laptops were stolen from the company's headquarters. The laptops contained varying amounts of personal data, potentially including social security numbers. A class action lawsuit was also filed in this case, with plaintiffs arguing that Horizon had failed to implement standard security practices (such as encryption) after a similar 2008 breach.
At AHMC Healthcare, two password-protected, but unencrypted, laptops were stolen from their administrative offices. The organization reported that the personal information of about 729,000 patients may have been compromised.
It is painfully obvious how much pain could have been avoided had these devices been encrypted but these incidents raise other questions as well. For one, what business requirements and operational work flow led to such high concentrations of PHI on desktops and laptops? We've run across a number of scenarios where this has occurred, many of them not pretty. Sometimes an underutilized PC is used for back-up purposes (bad idea). Other times, well-intentioned employees download spreadsheets or other files containing PHI to their laptops so that they can continue their work at home. Well-intentioned or not, it is a bad idea unless the files are encrypted. It is also common for an organization to “phase-in” an encryption initiative over many months, only to have a laptop stolen that has yet to be updated.

A comprehensive HIPAA security risk analysis will help organizations identify these types of issues and more. That is why we do not believe in the “compliance checklist” approach to security risk analysis. Having the right policies in place is necessary but nowhere near sufficient. You want a security risk analysis that is PHI-centric and includes sophisticated technical testing. By combining device scanning with an understanding of workflow, policies, and procedures, you get a more complete picture of what is actually happening in your environment. From there you can implement a remediation plan that significantly lowers your risk of breach.
A final note on encryption. While healthcare providers should be convinced by now of the high risk of storing PHI on unencrypted portable devices, the regulators have not done enough to force the issue. In our opinion, an “addressable” requirement is still widely and correctly interpreted as something less than mandatory. Many stop there – and never move on to the real requirement for a compensating control. The Federal government could fix that with one simple change to the HIPAA Security Rule.
Thievery, Inc.
Theft was the largest cause of PHI breach in 2013 by an overwhelming margin. Stolen devices made up over 45% of incidents reported and impacted 83.2% of all patient records breached. Laptop theft is big business. Various sources estimate that 10% of all laptops will be stolen during their usable lifetime – most in the first year of ownership – generally during local transit or on business trips in airports, taxis, hotels, etc.
Table 3: PHI Data Breaches by Type, 2013 # OF BREACHES % OF TOTAL # OF RECORDS % OF TOTAL Theft 90 45.2% 5,905,595 83.2% Other 26 13.1% 320,314 4.5% Unauthorized Access 44 22.1% 313,353 4.4% Improper Disposal 8 4.0% 288,167 4.1% Loss 19 9.5% 150,282 2.1% Hacking IT Incident 12 6.0% 118,394 1.7% Total 199 100% 7,906,105 100%
Theft has always been a leading cause of PHI data breach but never more than in 2013. We suspect the prevalence is a natural result of the increasing mobility of professional workforce and their equally mobile computing devices. The theft of a laptop is usually more opportunistic

than planned and with more people using laptops “on the move,” an increase in larceny is not at all surprising.
As we have noted in prior reports, most laptops were not stolen to exploit PHI but simply for the value of the device. Often, the first thing a laptop thief does is wipe the device to remove all information. Yet, for HIPAA covered entities and business associates, that fact does nothing to minimize their obligations under the breach reporting regulations or avoid potentially costly reparations, penalties, or even legal judgments.
Last year, we also warned about the increase in unauthorized access to PHI: “Malicious hackers are not the only group to realize the value of a stolen health record when used for illegal purpose – it may be your own employees. Incidents of insider threat are on the rise and can only be prevented by a comprehensive security program – not a once a year risk assessment but an integrated program of policies, controls, technical safeguards, organizational accountability, enforcement, training, and leadership.”
Boo-Yah for BA's (and for OCR)
With the HIPAA Omnibus Final Rule now on the books, covered entities and business associates (BAs) now stand more or less on equal footing (at least from the regulatory standpoint) with regard to their responsibility to safeguard PHI from breach. We have already seen positive examples of business associates taking action to ensure they fulfill their security and privacy obligations to covered entities and maintain HIPAA compliance themselves. Redspin has conducted HIPAA security assessments for many large BAs and we receive new inquiries every day.
Although the number of breach incidents involving a BA in 2013 followed the norm, the quantity of patient records impacted dropped radically. From late 2009 through the end of 2012, 57% of all patient records in large-scale PHI breaches involved a business associate. In 2013, BA breaches comprised only 10.2% of all records affected!
Table 4: Large PHI Breaches/Records Involving Business Associates, 2009-2013 # OF BA'S INVOLVED TOTAL BREACHES % # OF PATIENT RECORDS IN BA BREACHES # OF PATIENT RECORDS TOTAL % BA INVOLVED 2009-2012 125 605 20.7% 12,454,995 22,191,178 56.1% 2013 43 199 21.6% 726,829 7,095,145 10.2%

While we are encouraged by the 2013 results, one only need to look back to 2009-2012 to see how big a problem this was and can still be in the future. The number of breaches involving BAs has consistently comprised 21% of all breach incidents over the years.
Remember that the delay in the finalization of the Omnibus Rule in the years 2011-2012 also extended the deadline before BAs would have direct liability for breach as contemplated in the 2009 HITECH Act. In 2013, the long awaited HIPAA Omnibus Rule was published in the Federal Register on January 25, 2013 with an effective date of March 26, 2013.
Much of the final Omnibus Rule followed the interim regulations enacted in 2010-2011 after the passing HITECH. Unfortunately no interim rule regarding BAs was ever published. So it was indeed a regulatory sea change once Omnibus set a HIPAA compliance date for BAs and their subcontractors of September 23, 2013. They can now be held directly, civilly, (and in rare cases) criminally liable for PHI breach and they must be fully HIPAA compliant.
Hopefully, the 2013 statistics reflect the start of positive trend among business associates. However with the recent organizational changes at OCR and further delays in the restart of the HIPAA audit program, we have concern that lack of enforcement will weaken commitment. OCR, though well-intentioned, has a long way to go before they can be in a position to audit any business associate.
Thus, we continue our work to help both covered entity and business associates alike. We help hospitals evaluate the internal controls of their business associates while building a risk model to determine overall exposure. Since BAs must now be HIPAA compliant, we can provide them with periodic HIPAA security risk assessments. We see these as mutually-beneficial scopes of work that will allow hospitals and BAs to openly discuss process improvements using a common framework of understanding and the shared goal of protecting PHI.
Redspin believes that true collaboration between covered entities, business associates, vendors, law firms, and expert security firms will be essential to building a truly secure “chain of PHI custody” with consistent safeguards at every point. Like most challenges to improve the common good, covered entities and BAs should accept joint responsibility and accountability as they are both vested in the same positive outcome.

Left to Their Own Devices
In last year’s report, we noted that 37.7% of all PHI breaches had occurred on a laptop or other portable device, the easiest types of devices for thieves to steal or employees to lose. That trend continued in 2013 with laptops or other portable devices making up 34.7% of the total.
Table 5: PHI Data Breach by Source/Device, 2013 # OF INCIDENTS % # OF RECORDS % Laptops and other portable devices 69 34.7% 1,876,349 26.4% Desktops and servers 49 24.6% 4,343,440 61.2% Paper 38 19.1% 390,144 5.5% Other 17 8.5% 406,190 5.7% Email 16 8.0% 51,419 0.7% Electronic Medical Records 10 5.0% 28,563 0.4% Total 199 100% 7,096,105 100%
Laptops continue to be the primary offender but it is only a matter of time before smart phones, iPads, and other BYOD computing devices start contributing to the problem and not just from the threat of loss or theft. Mobile / BYOD solutions present a plethora of risks. Citing the SANS Survey again, the respondents expressed concerned about:
• Lost or stolen mobile devices (83%)
• Lack of employee security awareness about mobile use policies (73%)
• Insecure or unprotected endpoints (73%)
• Corrupt or malicious applications e.g. mobile malware (67%)
• Insecure Wi-Fi use (48%)
• Insecure web browsing (46%)
In short, there is a lot to worry about. Encryption alone is not a cure-all. There are also real risks that mobile devices will be compromised with malware that could infiltrate the IT infrastructure and steal information directly from other systems.
Most organizations have rushed to put a mobile device security policy in place but without full consideration of some of the dynamics of BYOD. Personal ownership of the devices creates both legal and psychological differences regarding usage. Top down policies will not necessarily be effective. Employers and employees must work towards truly mutually acceptable policies or there is a risk employees will just do whatever they want.

Redspin offers a mobile device security risk analysis that provides a methodology to enable IT management to increase engagement with their healthcare workers and get their buy-in on policies. No one has found the ideal solution yet, but we would like to highlight an approach that most closely adheres to the recommendations we provide our clients – CYOD (Choose Your Own Device). CYOD addresses both the employee's desire for choice and the organization's need to manage devices securely. Under the program, each employee is offered a choice of company-approved, standardized devices with built-in security protections.
A Prescription for Security Health
In summary, it would be easy to conclude that the more things change, the more they stay the same. But that would diminish the hard work and good intentions of many healthcare providers, some of whom are our clients. IT security is complicated, made even more so by the dynamic nature of technology and the ever challenging threat landscape. There is no silver bullet. It may be best to think of IT security as a chronic illness, a condition that requires ongoing treatment, testing, and re-evaluations. With security, the goal is not an outright cure but a lessening of symptoms, a lowering of risk. Redspin's treatment plan looks like this:
1. Conduct an Annual HIPAA Security Risk Analysis
This is your annual exam. Periodic risk analysis is a requirement of the HIPAA Security Rule anyway so you might as well plan it in advance and budget for it. When you consider all of the changes that take place year-over-year such as new system deployments, IT infrastructure enhancements, organizational restructuring, and employee turnover, it is certain that new vulnerabilities have arisen at the same time. At Redspin, we are fond of saying that while security assessments have a shelf life, they also have an expiration date.
Do not be fooled into thinking that a HIPAA security risk analysis need not be technical. It is not possible to assess security risk without identifying real vulnerabilities and developing a remediation plan to address them. That is like a physical exam without blood work!
2. Inoculate Yourself by Encrypting Data-At-Rest
Insist on encryption of data on all portable devices. This is our fourth annual Breach Report and encrypting laptops and other portable devices has been our top recommendation every year. From 2009 to present, the loss or theft of unencrypted portable devices have made up over a third of all large breach incidents and impacted over 50% of all health records put at risk.

We recognize that there are still significant hurdles to encryption – complex, often clumsy technology, budgetary constraints, and user-training needs. Employees resist it but extending the analogy; people resist needles too. As painful as it may be, it will not compare with the pain of a major breach incident due to a lost device chock full of PHI. The costs of forensics, reparations, attorney’s fees, an OCR investigation / civil penalty, potential class action lawsuits, and negative publicity can easily run into millions of dollars.
3. More Frequent Vulnerability Assessments and Penetration Testing
The threat from malicious outsiders – hackers – has the potential to wreak havoc on the healthcare industry. While there have not been widespread occurrences, there can be no room for complacency. Just consider that 12th largest breach of all time was the 2012 hacking incident at the Utah Department of Health (780,000 patient records). In our opinion, hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. In addition, many health providers process and store credit card information.
To combat this threat, we recommend ongoing vulnerability scanning and remediation. Implement a monthly or quarterly test schedule so that you can compare results and see what you have fixed, what you have not, and what new vulnerabilities may have arisen. If you do not have the resources to do this yourself, Redspin can put you on an auto-scheduled service to do it for you. And consider external and internal penetration testing. These types of tests more closely mimic the paths of malicious attackers and can often expose inter-related weaknesses that would be beyond the scope of typical vulnerability assessments.
4. Invest in the Security Awareness of Your Workforce
The lack of security awareness among your employees is your overall biggest risk and the hardest of remediation. But every dollar spent on educating your employees on IT security is an investment in your organizations future success. The task goes well beyond PowerPoint presentations. You need to engage all of your employees in building a culture of security through a process of frequent and engaging security awareness training, of internal training, daily reminders, and visual workplace cues.
Situational training is a must – run social engineering tests (phishing, pre-text phone calls). Reward success. Track what people do in specific situations (good and bad) and integrate that info back into the training. Implement hotlines, place posters on walls, screen-saver reminders,

and monthly tips. Redspin, among other firms, can help build and customize an effective program for you.
5. Engage With Your Business Associates
The responsibility of PHI security now officially extends outside the organization. The Omnibus rule legally extends compliance with HIPAA security provisions and direct civil liability for breach to business associates and their vendors. That said, covered entities still retain their obligation to ensure that its business associates are safeguarding PHI effectively.

Conclusion
Since the accelerated deployment of IT in healthcare began, we have stressed that security is a foundational element for its successful implementation and adoption. As we move toward realizing the full promise of electronic health record (EHR) technology, the need for IT security in healthcare has never been so great.
It is a complex task because today’s technology world is incredibly dynamic and massively interconnected. Once electronic health records were created, they were meant to find their way onto other devices, into other applications, and transmitted to other places. The proliferation of portable devices and media within organizations that store PHI increase the likelihood of breach exponentially. A single change in IT infrastructure or application can create a multiplicity of new vulnerabilities, oversights, or mistakes.
IT security cannot simply be legislated or completely enforced. Legislation, programs, policies, or controls that are intended to drive improvements in security must first recognize that effective security is about lowering risk. The aim is not to find and fix all vulnerabilities or eradicate every threat. The goal is to reduce the likelihood of occurrence and limit the potential damages of breach.
Today’s challenges call for a new ways of thinking about traditional HIPAA risk assessments. IT security is a process not a project. A successful security program is a repetitive cycle of thorough testing, reports of findings, remediation, and retesting. For some aspects of an IT security program, such as policies and procedures, an annual review will be sufficient. But to protect against new or arising threats, monthly or quarterly vulnerability scanning, threat management, and remediation will be needed. Redspin wants to help drive the changes necessary in healthcare IT security so that PHI breaches are a rare exception, rather than a once a week news story.

For more information on Healthcare Security best practices from Redspin, see:
http://www.redspin.com/healthcare
For more information on the HIPAA Privacy Rule, go to: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/privruletxt.txt
For more information on the HIPAA Security Rule, go to: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf
For guidance on how to determine whether an entity is a covered entity under the HIPAA, go to: http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative- Simplification/HIPAAGenInfo/AreYouaCoveredEntity.html
The Department of Health and Human Services (HHS) website can be found at: http://www.hhs.gov/
The Office for Civil Rights (OCR) website can be found at: http://www.hhs.gov/ocr/office/index.html
For detailed information about the OCR HIPAA Audit protocol, go to: http://ocrnotifications.hhs.gov/hipaa.html
The Centers for Medicare and Medicaid Services (CMS) website can be found at: http://www.cms.gov/
To see the list of objectives, associated measures, and detailed specification pertaining to eligible professionals for Stage 1, go to: http://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/ALL_Stage1_EHR_Meaningful_Use_SpecSheetsEPs-.zip
To see the list of objectives, associated measures, and detailed specification pertaining to eligible hospitals and critical access hospitals for Stage 1, go to: http://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/All_Hospital_Core-MenuSetMeasures.zip
To see the list of objectives, associated measures, and detailed specification pertaining to eligible professionals for Stage 2, go to: http://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/Stage2_EP_SpecSheets.zip
To see the list of objectives, associated measures, and detailed specification pertaining to eligible hospital and critical access hospital for Stage 2, go to: http://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/Stage2_Hospital_SpecSheets.zip
Meaningful Healthcare IT Security®
Redspin, Inc.
4690 B Carpinteria Avenue
Carpinteria, CA 93103
T 1.800.721.9177
info@redspin.com
Copyright © 2014 Redspin, Inc. All rights reserved. Redspin and the Redspin logo are trademarks of Redspin, Inc. in the U.S. and other countries. Other names and brands may be claimed as the property of others. BR_PHI_02042014 Please recycle.
www.redspin.com

BREACH REPORT 2013: Protected Health Information (PHI)

More Related Content

What's hot

Viewers also liked

Similar to BREACH REPORT 2013: Protected Health Information (PHI)

More from - Mark - Fullbright

Recently uploaded

BREACH REPORT 2013: Protected Health Information (PHI)