Sunday, November 8, 2009

Is This A Security Breach? You Make the Call


by Rebecca Herold

I want to take a closer look at some of the issues and requirements within the HITECH Act, which dramatically expands the reach and requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA)...

So, what is a "breach" under the HITECH Act?
The general question of "what is a privacy breach" is one that too few organizations have really answered, documented, and prepared response plans to cover. The HITECH Act "SEC. 13400. DEFINITIONS" contains the following:

(1) BREACH.--
(A) IN GENERAL.--The term ''breach'' means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
(B) EXCEPTIONS.--The term ''breach'' does not include--
(i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if--
(I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
(II) such information is not further acquired, accessed, used, or disclosed by any person; or
(ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

A problem facing information security and privacy practitioners is that they have many different laws with breach response requirements that all define a "breach" differently. However, if an organization documents their own meaning of a breach to meet the most restrictive of the requirements, they should then be doing pretty good to hit most, if not all, of the compliance requirements with regard to a "breach."

Note that the HITECH Act definition does not limit a breach to just electronic information. This is good! Many, many breaches have occurred with print information, and also audio ("heard") information, though it is harder to determine if someone has overheard someone else talking about PII. Such circumstances would commonly occur in public places, or through phone systems and voice mail.

It is also good to specify exceptions to what is considered to be a breach. You do not want to start notifying individuals for every single little thing that MAY be, COULD have been, or POSSIBLY was something that was considered to be a breach. You don't want the general public to become complacent and get breach-notice-fatigue as a result of having so many people notifying them that their PII may have been inappropriately accessed, used or disclosed.

Don't get me wrong, I *WANT* organizations to tell the impacted individuals when they've lost their PII, when it's been stolen, or when it has otherwise been misused.
However, consider the following situations:

1) An employee mistakenly sends another employee within the same organization an email containing a file with customer PII. The errant recipient notices this right away, notifies the sender of the mistake, deletes the message, and mail logs confirm these activities.

I know an organization where this situation actually occurred, they decided to treat it as a breach, and went through their entire breach notification process to thousands of individuals. There resulted a whole mess of misunderstandings, the customers were alarmed, there was much bad press, and the entire situation was just downright bad.
If they had been using the HITECH Act breach definition, this would have likely been an exception under (B)(ii)

2) One of the cleaning folks found some medical records in a trash can in the office area of a clinic where they were contracted to work. The person cleaning recognized that the papers contained protected health information (PHI) and other PII (thanks to her training and ongoing awareness communications!) and she called the clinic manager. The manager went immediately to the clinic and collected the confidential papers from the cleaning person. The clinic did not notify the individuals whose PII papers had been found; they determined that the person cleaning did not make copies or otherwise use the information inappropriately.

Under the HITECH Act, this was likely appropriate under (B)(i) since the acquisition of the PHI was made during the course of the cleaning person's contracted job responsibilities and there was no further access, use or disclosure of the information.

3) In January 2008, an official from the Wisconsin Department of Health and Family Services announced in a public statement that a mailing contractor used by Plano, Texas-based EDS (to whom Wisconsin outsources Wisconsin's Medicaid, SeniorCare and BadgerCare state health plan computer processing activities) accidentally printed the Social Security number (SSN) on the mailing labels of 260,000 plan members. The Wisconsin agency notified all those who had their SSNs printed on the mailing labels and EDS offered free credit monitoring to the individuals.

Under the HITECH Act would this have been considered a breach, or a breach exception according to "(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person"?

This is a great question without one clear answer! Even though the SSN was on the mailing label for all with access to the letter to see, the U.S. postal service is generally considered as being a "secure" mode of delivery by the U.S. government, with trusted workers who do not do bad things. Of course, there have been several documented instances of USPS workers doing bad things with the mail, but in general the US government views the USPS as being trusted. Just talk to an IRS representative about tax returns not being delivered and they will tell you that!

I heard differing opinions from the information security practitioners, privacy officers and lawyers to whom I posed this question.

But what about all the other 48 U.S. state and territory breach notice laws; would these three situations have been considered as breaches under them?

An important part of security incident and privacy breach response planning is determining what types of situations are breaches, and clearly defining and documenting that definition. Then, providing training to personnel followed by ongoing awareness communications about what are and are not considered as being breaches.

Last Week’s Quiz Question
How many gallons of sap does it take to produce a gallon of maple syrup?

Answer: 40 gallons
(Note: There was some disagreement on this one, as The Cornell Sugar Maple Research & Extension Program asserts that it takes 42 gallons of sap to make a gallon of maple syrup. But the question refers to quality Vermont maple syrup, not inferior syrup from other states.

This week’s winner is Thomas Reardon. Congratulations Thomas.

This week’s Quiz Question
Who was Harold "Doc" Martin? in the history of Norwich University?

Winner receives a free copy of the new ISO 1,200 page information security policies standard.

Submit all answers to jorlando@norwich.edu

No comments:

Post a Comment