What HIPAA Can Learn From PCI
There are plenty of people who have criticized the PCI Data Security Standard, including those that are already expressing objection to the next update of PCI-DSS. (I encourage you to check out Evan Schuman's thoughts on what PCI DSS 1.2 is missing in his post from August 22nd). Given some of the negativity that was expressed, the title of an article by John Carmichael in the June 18th edition of SC Magazine, What HIPAA can learn from PCI, certainly caught my attention.
Carmichael begins by correctly stating, "HIPAA is about the portability and accountability of patient data, not the privacy or protection of data." However, he goes on to ask the reasonable question, "within HIPAA accountability, is there not some implication of protection?"
While Carmichael doesn't give the Payment Card Industry Data Security Standard (PCI DSS) a ringing endorsement, he does spell out specific areas where HIPAA could be improved if they were adopted. To begin with, Carmichael states that "HIPAA in its current form fails to adequately protect patient data. There is a lack of oversight, guidance and enforcement." It's a point he reinforces well using one of the findings from the 2008 HIMSS Analytics Report - Security of Patient Data, which found that, "during the period of 2006-2007, an estimated 1.5 million patient records were compromised. Astoundingly only 56 percent of respondents in the study who had experienced a breach bothered to notify the patients involved." You can download a webinar we held back in April with HIMSS Analytics' Executive Vice President here.
Carmichael's main parts of PCI he'd like to see HIPAA adopt are as follows:
- HIPAA needs to become an evolving set of specific requirements that attempt to improve overall security of all covered entities
- HIPAA needs to have an assessment mechanism that requires regular checks for compliance
- HIPAA needs a set of consequences for non-compliance that will provide appropriate motivation to protect data
- HIPAA needs to be regularly reviewed to address evolving threats by requiring acceptable countermeasures be enacted
Given the aging of the general population in the United States, their growing need for ongoing medical care, and the increasing dependence on IT infrastructures to maintain historical patient data and to be able to share that between multiple medical offices and care providers, it is essential that each of us is able to trust that our medical information remains protected, while still readily available for their physicians to make appropriate medical decisions.
You can view samples of some of the configuration attribute reporting Ecora Auditor Pro can provide to help meet any potential HIPAA audit and, as importantly, ensure personal health information remains secure.
Contributed by Mark Tordoff
Mark – Your post raises some excellent questions regarding compliance and security. Blogs like this are an excellent place for professional dialogue.
My apologies for the length of this comment, but I believe your readers will find the responses to John Carmichaels thoughts interesting.
Like any federal regulation, they seem to be either too specific, vague or somewhere in between. I have experienced similar comments like those reported by John Carmichael. In fairness to the regulations however, I have been impressed with the regulators thoughtfulness in the approach to creating HIPAA standards for a vast healthcare industry, ranging from small to enterprise level organization, both rural and urban. Some thoughts on Carmichaels points…
Carmichael Point 1. HIPAA needs to become an evolving set of specific requirements that attempt to improve overall security of all covered entities.
Response: HIPAA regulators comments in responding to public comments in the final security rule: “We solicited comments as to the level of detail expressed in the required implementation features; that is, we specifically wanted to know whether commenters believe the level of detail of any proposed requirement went beyond what is necessary or appropriate. We received numerous comments expressing the view that the security standards should not be overly prescriptive because the speed with which technology is evolving could make specific requirements obsolete and might in fact deter technological progress. We have accordingly written the final rule to frame the standards in terms that are as generic as possible and which, generally speaking, may be met through various approaches or technologies.” [Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations,8335
Carmichael Point 2. HIPAA needs to have an assessment mechanism that requires regular checks for compliance
Response: HIPAA created the Evaluation Standard 164.308(a)(8), which requires a periodic technical and non-technical evaluation of the healthcare organizations security safeguards to demonstrate and document compliance with their security policy and the security rule requirements. Incidentally, this is a required standard, meaning, “a covered entity must implement the implementation specifications”. Here’s the specific rule:
Evaluation 164.308(a)(8) HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
Carmichael Point 3. HIPAA needs a set of consequences for non-compliance that will provide appropriate motivation to protect data
Response: Although HIPAA was created with a series of penalties, active enforcement was not funded. As a result, Compliance experts predict (Including this writer), that HIPAA will follow other federal regulations (OSHA as an example) in becoming a major privacy and security compliance measure. Look no further than an August 2007 Senate Bill introduced to significantly enhance the enforcement of HIPAA - read more at http://dgpeterson.com/category/hipsa/
Carmichael Point 4. HIPAA needs to be regularly reviewed to address evolving threats by requiring acceptable countermeasures be enacted
Response: HIPAA regulators comments in responding to public comments in the final security rule: “In this final rule, we adopt both ‘‘required’’ and ‘‘addressable’’ implementation specifications. We introduce the concept of ‘‘addressable
implementation specifications’’ to provide covered entities additional flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: (a) Implement one or more of the addressable implementation specifications; (b) implement one or more alternative security measures; (c) implement a combination of both; or (d) not implement either an addressable
implementation specification or an alternative security measure. In all cases, the covered entity must meet the standards, as explained below. The entity must decide whether a given addressable implementation specification is a reasonable and
appropriate security measure to apply within its particular security framework. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are
already in place, and the cost of implementation.” [Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations 8336
Grant Peterson, J.D.
Compliance Consultant
Posted by: Grant Peterson, J.D. | October 09, 2008 at 05:35 PM