07-09-13 | Blog Post
According to DetroitNews.com, personal information of 49,000 individuals – including that of names, SSNs, DOB, cancer screening test results and dates of completion – were accessed by hackers recently. The data resided in a password-protected area of the Michigan Cancer Consortium website hosted on a private company’s server.
However, a Michigan Department of Community Health (MDCH) spokesperson claims that the breached information does not qualify as a medical record, and therefore the agency is not subject to complying with the HIPAA breach notification rule. The spokesperson also claims that the department has removed its files from the hacked server, and are now only hosted on an MDCH secure server, and that the issue has been corrected as a result.
One can assume the information was not encrypted if it was previously not located on a ‘secure’ server. Encryption is a general best practice and highly recommended for any health organization that collects protected health information (PHI).
The federally mandated HIPAA Security Rule for healthcare organizations handling electronic protected health information (ePHI) dictates that organizations must:
In accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information. (45 CFR § 164.312(a)(2)(iv))
HIPAA also mandates that organizations must:
§164.306(e)(2)(ii): Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Protecting ePHI at rest and in transit means encrypting not only data collected or processed, but also data stored or archived as backups.
One of the first steps toward implementing encryption is classifying and determining what data to encrypt, as Certified Information Systems Security Professional Chris Heuman stated in a recent webinar, Encryption – Perspective on Privacy, Security & Compliance. Any regulated, confidential or non-public information should be identified and then encrypted.
Since the HIPAA Privacy Rule dictates that any PHI includes demographic information that relates to “the individual’s past, present or future physical or mental health or condition,” the MDCH’s breached data including cancer screening test results and dates definitely fall under that definition.
The Dept. of Health & Human Services also makes the distinction between identifying information alone, such as names, addresses or phone numbers, and designated protected health information. With just identifying health data, they wouldn’t be categorized as PHI, since the same information could be found in a publicly-available phonebook.
But when paired with information such as listed health conditions, healthcare provision or payment data, or even any indication that a person was treated at a certain clinic is enough to count as PHI.
Additionally, when contracting with a private company and securing a server, check to ensure their facilities, company policies, staff training and technical services can pass an audit verifying they are in compliance with HIPAA standards.
While the OCR/HHS do not officially verify any product is ‘HIPAA compliant or certified,’ vendors that provide servers and server security are now considered business associates or even subcontractors of health organizations and are subject to HIPAA breach fines and consequences (read Final HIPAA Omnibus Rule: How it Changes Cloud Computing for Healthcare for more information).
An audit report from an independent auditor following the OCR HIPAA Audit Protocol can provide insight into the security of your data/application hosting provider.
For more about HIPAA compliant solutions, read our HIPAA Compliant Hosting white paper. Questions to ask your HIPAA hosting provider, data center standards cheat sheet and a diagram of the technical, physical and administrative security components of a HIPAA hosting solution (including HIPAA compliant clouds) are included.
References:
Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the HIPAA Privacy Rule
Michigan Agency Breaches PHI But Says Not Bound by HIPAA
State Health Department Falls Victim to Hackers