HIPAA Training Observations
I spent the last two days in Austin attending a HIPAA Security Auditing course provided by the State of Texas. The course was a MIS Training Institute presentation. Although it was not the best presentation I have ever attended I have to say that taking this auditing course really opened my eyes to the HIPAA requirements and how it is going to affect my organization. The most important lesson that I learn through this course is the differences between Covered Entities (CE), Hybrid Entities (HE), and organizations that do not fall under HIPAA requirements.
Until yesterday it was my understanding that any organization that handled medical information fell under the watchful eye of the HIPAA requirements. This is not the case. The delimiter (in basic terms) is whether or not the organization does some type of electronic billing. If an organization is not doing electronic billing themselves or through a third party then they are probably not required to adhere to the HIPAA security requirements. Are they still required to treat the medical data as sensitive information? I hope that they do but as they do not fall under HIPAA I guess there is a gray area of responsibility. This scares me.
HIPAA basically outlines that CE and HE organizations will adhere to security best practices. HIPAA mandates a minimum level of the security best practices that must be applied to protect the medical data at rest and in motion. There are a lot of weaknesses in these requirements just because of the way they are described and specific areas they are included within the documentation. As I went through the class it seemed to me that the requirements were put together by auditors and lawmakers and the security professionals were left out of the conversation.
Although people might complain about HIPAA requirements I no longer feel that they have a leg to stand on. There is nothing outrageous in these requirements (except maybe one or two really quirky things) and the only real problem will be the way that the auditors interpret the HIPAA standards and how they are applied within an organization. Of course this is true of any standard. There will always be a negotiation of the level of protections compared to the risks involved. My personal feeling is that through HIPAA we have a standard, a overall policy, that is applicable to these specific organizations. We can point to these standards to when the organization fails to adequately protect the sensitive information with which they are entrusted.
Can HIPAA be improved? Certainly, this standard is in need of a huge overhaul to bring it into the modern age of information security. I would bet that this standard could be quickly and effectively updated with a good team of auditors, lawmakers, AND security professionals that work together. However, I think a better method would to be to set a security standard using a method such as they do for military and government information security environments. Come up with detailed levels of implementation and then set a minimum standard for a particular business types (i.e. medical, financial, banking, educational, etc). Give tax advantages to the business that adhere to higher levels defined within the guidelines. This way we do not have to pay for multiple standards for different businesses. How to do security does not change from organization to organization. Rather, what does changes is the level of protection necessary to protect the assets involved. Although there may be some down sides to this and some organizations and businesses might slip through a few cracks, the cost savings in developing, implementing, and auditing standards would, in my opinion, compensate.
Go forth and do good things,
Cutaway
HIPAA, MISTI, Security Ripcord
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
March 2nd, 2007 at 3:53 pm
Dear Cutaway:
A lot of smart people have worked long hours perfecting the HIPAA rules, both when they were passed a decade or so ago and ever since. Unfortunately, those working the hardest were clever people employed by the insurance industry. HIPAA is about portability, not privacy. As for the word accountability? That is a waste of English. Virtually nobody has ever been prosecuted for a violation.
In 2003 the act was quietly amended by the Bush administration to make it more insurance friendly, totally disregarding Americans privacy. The amendment made HIPAA an expensive farce, but it assured employment of a lot of people like you, whose salaries are tacked onto already high medical bills. I guess it is more like a capitalists WPA project in that respect.
Did they teach you that the forms one signs in a doctors office are meaningless? One cannot prevent the insurer from sharing patient information with over 600,000 business entities, which can include bankers, bosses (if self insured), and virtually anyone else who is interested enough to pay for the data. Yes, you heard me correctly. The insurers are planning for profits from selling personal information. Did your instructor cover that as well? (Source: patientprivacyrights.com)
Your concern that HIPAA only concerns electronic records and not paper records is absurd. In all of history, how many paper charts would you guess have been exposed to thieves? Thousands? Here is how well HIPAA has done: In the last 14 months, 100 million electronic health records have been fumbled. That equals one-third of the nation.
So you and your instructors are worried about the security of paper records. What is the caliber of an instructor who lies to students? Darrell Pruitt DDS
March 2nd, 2007 at 5:39 pm
Glad to see that HIPAA training is starting to be a little less alarmist in nature— back in the earliest days most trainings were given by lawyers, and scared the living daylights out of folks. You are certainly correct, there is not much about HIPAA that defies common sense, and many of the standards in a perfect world would be best practice even without the regulation.
HIPAA was pretty much written to be technology independant— combining the latest infomation security technology with the guidelines should be small trouble for most Covered Entities, except for the lamentable tendancy of most businesses to think of security only after there has been some sort of breach. This absense of a critical component of protection from the mindspace of management leads to many other problems, not just regulatory incidents.
Michael Ehart
CISSP, MCSA, CHA, CHP, Certified HIPAA Security Specialist
Comply With Me— a HIPAA Forum
March 2nd, 2007 at 8:28 pm
“In all of history, how many paper charts would you guess have been exposed to thieves? Thousands? Here is how well HIPAA has done: In the last 14 months, 100 million electronic health records have been fumbled.”
Electronic health records being fumbled is not caused by HIPAA— it is caused by poor practices in handling information, which will continue as long as we fail to turn back the clock and return to those halcyon days of paper only records in every sphere of endevour— shoot, while we are at it, lets just go back to clay tablets, as information theft is far more difficult if each patient record weighs 4 ounces per page.
We could do this with banking, too! No more easily stolen and tapped ATM cards! If all we had were passbooks and cash, identity theft would be so much more difficult. In fact, let’s return to barter— then if you want to steal from me, you will have to be able to tuck my oxen under your coat.
I agree that Bush’s gutting of HIPAA and the current administration’s reluctance to enforce what remains is a problem, but as far as it being a full-employment program for the worthless infosec parasites like us, try typing in a job seach at Monster with a key word of HIPAA. Not much, and not high-paying. There are many real factors causing medical costs to be ridiculously high, but HIPAA compliance is not one of them.
March 4th, 2007 at 7:28 am
[...] Security Ripcord Blog Post – HIPAA Training Observations – http://www.cutawaysecurity.com/blog/archives/112 [...]
June 12th, 2007 at 3:37 pm
Complying with HIPAA regulation can help complying with many other regulations and standards. A crosswalk between different regulations poster from Symantec is a very useful tool. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada) http://www.compliancehome.com/symantec/
September 13th, 2007 at 1:20 pm
[...] information we do have “leaked” looks like a high level review of documentation, and dentists trolling Infosec blogs mocking the whole HIPAA thing because of their risk [...]