1. A. Understand - HIPAA/HITECH Regulatory Lesgislation
The need to protect individual patient medical records has become well-established since the U.S. Government Health Information Portability and Accountability Act, HIPAA, was enacted in 1997 to define and enforce nationwide standards for such protection. The Health Information Technology for Economic and Clinical Health, HITECH, Act was signed into law in 2009 as a companion to HIPAA to, in particular, stimulate the adoption of Electronic Health Records and supporting technology. Since then these have collectively become known as the HIPAA/HITECH requirements. More recently the U.S. Department of Health and Human Services (HHS) has issued its Omnibus Ruling of 2013 that further clarified many of the earlier requirements and described a more active vigilance in monitoring compliance.
Personal, Private, or Protected Health Information (PHI) generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a healthcare care professional to identify an individual and determine appropriate care. These and other details are described in a set of “Rules”:
- Privacy Rule A summary of key elements including who is covered, what information is protected, and how protected health information can be used and disclosed may be found on the HHS web site www.hhs.gov/ocr/privacy/ hipaa/understanding/summary/index.html.
- Security Rule Establishes standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by requiring appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Reference: 45 CFR Part 160 and Subparts A and C of Part 164.
- Enforcement Rule Contains provisions relating to compliance and investigation, the imposition of penalties for violations, and procedures for hearings. Reference: 45 CFR Part 160, Subparts C, D, and E.
- Breach Notification Rule Issued in August, 2009, to implement section 13402 of the HITECH Act by requiring notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
- Omnibus Rule Issued in January, 2013, to clarify these rules and to provide improved guidance for their execution and enforcement. An overview of the Omnibus impact may be found in the Code Green Networks white paper: “HIPAA Omnibus Compliance” at https://www. codegreennetworks.com/resources/downloads/ HIPAAOmnibus.pdf.
- Enforcement of the Omnibus Rule began in September, 2013, which puts added incentive and urgency to all handlers of Personal Health Information to review their policies and procedures.
- The Omnibus rule clarifies the regulations to mean that any party who “creates, receives, maintains or transmits Personal Health Information” is covered under the same HIPAA//HITECH provisions. Business Associates and their subcontractors are, therefore, now subject to HIPAA/ HITECH compliance requirements and potential audits as well.
- Certain individual states may have regulations in addition to the national standards mentioned above. Moreover, a particular enterprise could have additional governmental or industry compliance requirements that can be addressed by the application of a DLP solution. For instance, many health care companies may need to meet requirements defined by the Payment Card Industry (PCI). However, to maintain the stated focus of this paper, these regulatory requirements will not be addressed in detail here.
1. B. Understand - Compliance and Risks
The improper release of regulated health information can result in painful consequences to the organization(s) responsible - ranging from damaging media exposure to harsh fines of up to $1,5m for serious incidents. Maintaining compliance with government regulatory acts to protect patients’ private medical information needs to be a top issue for healthcare organizations and their business associates holding this type of information.
A proper Data Loss Prevention, DLP, technology when implemented appropriately will help address these requirements and reduce the risks involved.
1. C. Understand - What is DLP?
Data Loss Prevention, DLP, refers to technology employed for the purpose of reducing the risks from loss of control over sensitive data. Not all DLP offerings on the market are equal, however. Because of its unique advantages and powerful capabilities, DLP, here, will be taken to mean “Content Aware DLP” which is often referred to as “Enterprise DLP”. Gartner, Inc. provides this definition in its IT Glossary:
“Content-aware data loss prevention (DLP) tools enable the dynamic application of policy based on the content and context at the time of an operation. These tools are used to address the risk of inadvertent or accidental leaks, or exposure of sensitive enterprise information outside authorized channels, using monitoring, filtering, blocking and remediation features.”
Several consultants have provided explanations of DLP. One helpful example is provided by Securosis at https:// securosis.com/blog/new-paper-implementing-and-managing-a-dlp-solution. A useful independent overview of DLP vendors may be obtained from the DLP Experts: www.dlpexperts.com.