HIPAA Rules and Discussion

tmccormi wrote on Monday, February 17, 2014:

I decided it would be useful to have a thread that is just about USA HIPAA rules.

Here’s some links:
CMS - http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/
AMA - http://www.ama-assn.org/resources/doc/washington/hipaa-phi-encryption.pdf

blankev wrote on Tuesday, February 18, 2014:

The AMA instructions are nice to read. So understandable and to the point. Why is it not implemented or discussed in these OpenEMR forums. Or is it simplified and implementation of the simple encryption and decryption is not as simple as stated in this document?

Coming back to the comparison of the theft of paper information and EMR it burns down to how can I get the medical information quick enough, when there is an emergency situation. If I lost my keys of the Fort Knox protected laptop, how long will it take to get new keys…

Would it be possible to give the client the choice between:
Your medical information can be stored, but it is always insecure? Yes/No
Do you accept… only relevant medical acceptable info for a client will be included. Yes/No…

No indeed, that does not work for Medicare and other insecure communication exchanges for payments or does the receptionist of medicare unlink the names and the data for all clients, before they start reading the medical included information…

(Just thinking out loud as a General Practitioner.)

cmswest wrote on Wednesday, February 19, 2014:

thanks for the links, i think the ama document is missing a key point

i believe that while it is recommended there is no actual requirement for encrypting “stationary” data, as in the data stored on a laptop’s hard drive or even a usb stick

only data in transit, like data flowing on a public network, is required to be encrypted

blankev wrote on Wednesday, February 19, 2014:

I only read the AMA guidelines, but it waters down to: “if you can within reasonable circumstances get to the Medical info of a person”, you can be fined. So encryption of the Names and/or Data related to medical complaints you can be fined. The relationship between the clients name and medical treatment/problems seems to be the issue. Fines are friendly, as long as they are not implemented. But severe if “they” decide there is a breach.

ajperezcrespo wrote on Wednesday, February 19, 2014:

True that § 164.312(e)(1) states that data in motion should be encrypted.
But § 164.312(a)(2)(iv) does not differentiate between data in motion or at rest.
So one needs to assume that § 164.312(a)(2)(iv) is in reference to data at rest simply because Data in Motion is specifically addressed in § 164.312(e)(1).

In addition to this both are (A) Addressable. This does not mean optional, it means that if not done in this manner (for whatever the reason) select an alternate method and document why.
This should be part of the Risk Analysis § 164.308 (a)(ii)(A) and Risk Management § 164.308 (a)(ii)(B).

Finally Encrypted Endpoint Devices via the NIST Guide to Storage Encryption Technologies for End User Devices (NIST SP800-111) would fall into the Safe Harbor classification. A lost properly encrypted End User device would not be considered a Breach.

In Summary Encrypt it All.
FYI: Full Disk Encryption is preferred.

Alfonso

blankev wrote on Wednesday, February 19, 2014:

Encrypt all… YES and NO… who is responsible if the key is lost of the encryption. Most doctors have some vision, but they will never grow old and will never die. So unlike the bank account most relatives are not interested in medical information.

CVA, heart attack, brain tumor and what else can come in view for sudden data loss. Not seeking the malheur of harddisk failure since there was always a backup system in place.

Encrypting the Demographics could prevent decoding the medical info and the relation to the client specially in clinics with a substantial client database.

Encryption at the end of the day and decryption as starters. This means one table or two tables to encrypt and scrambled. (Since the order of the names could be an indication of who is who)

E-mails should always be encrypted, saying this, means that the sender and receiver should have a coding and decoding system in place…

  1. What system is preferred by the OpenEMR users?

  2. Same system for medical professionals as for client-doctor e-mails?

  3. Fingerprint protected USB devices can even be misused as proven by professionals.

ajperezcrespo wrote on Wednesday, February 19, 2014:

In the US patient data has multiple uses from fraude to blackmail. HIPAA defines the patients basic rights to privacy on health related information. It sets forth strict laws and guildlines those who store, use and transmit this inforamation.
Full Disk Encryption would require the key only on boot or initial use of Storage device. For example on bootup of a Laptop or insertion of pen-drive.
Data in motion would be along the lines of SSL or Kerberos.
In the HIPAA Omnibus (Sept/23/2012) the rule changed from determining what damage lost data may cause to what is the level of visiblity of said data. Thus if the lost device is fully encrypted (and your documentation can prove it) it is not visible and it is not considered a Breach.
§ 164.308 (a)(7) is the Contingency Plan Standard which requires Backup/Recovery and Emergency Mode Operations.

In NIST Usability standards of EHR some, or even most, of these items would be transparent to the caregivers.

Finally when speaking of Fingerprint protected USB devices is the device actually encrypted or is the fingerprint scan just an authentication process?