Local Encryption ... Why Not?

scottalanmiller

@BRRABill said:

Legal words:
A breach of protected health information (“PHI”) is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.7 Parsing this definition into its components, there must be: (1) an access to, or use or disclosure of unsecured PHI; (2) a use, access or disclosure that violates the “Privacy Rule” ( i.e., Subpart E of 45 C.F.R. 164); (3) a significant risk that such access, use or disclosure will cause financial, reputational, or other harm to the patient; and (4) no exceptions that apply.

1: Access. The moment the data is moved, there is access.
2: Once it is moved, again, it has been accessed
3: Any access poses such a risk
4: No Exception to the above.

To me, the example I have, is unquestionably a breach. If your user puts data on a laptop without permission, it's a breach by HIPAA regulations.

Dashrender

@BRRABill said:

@scottalanmiller said:

No, it's stolen. In ANY non HIPAA sense, once a thief has taken the data, it's stolen and is a breach. Maybe HIPAA does a cover up to protect facilities until a breach has become a detriment to an end user. This is just how corrupt the government is that they stop the use of terms like breach to hide that data has been stolen and exposure has happened but "nothing bad" with it has happened, that's just lying. And fine, maybe no HIPAA suit can happen. The facility would still be open to a civil suit, which should be far worse.

I think this was in response to if an employees just stumbles across something they weren't supposed to.

Technically a breach, but not reportable.

Not a full on theft or malicious intent.

I'm not really sure how that happens? The user just happened to have a USB drive plugged in? they just happened to accidentally choose a large number of patient files, and accidentally copied them to the USB stick?

That's to many accidents for me.

scottalanmiller

@BRRABill said:

@Dashrender said:

I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

There is a breach in the simplest definition of the word. But it might not be a HIPAA violation.

But it meets all qualifications. All medical data poses significant risk. Any access meets the 1/2 requirements. 4 says no exceptions. So it's a HIPAA violation by the legal wording every time.

scottalanmiller

@Dashrender said:

@BRRABill said:

@Dashrender said:

The hospital should be in the clear. Assuming a few things of course. The employee had reasons to have access to the data in the first place, and the hospital has policies that state that users can't copy data on to memory sticks.

They would still have to report the breach, including to the media.

And be investigated by the OCR.

And hope, as you said, they had covered all these things in the documentation and training. And REALLY hope they hadn't already been warned about it.

In this situation if the hospital knew that this employee did in fact download this against company policy.. i think they'd have no choice but to report it, legally. Assuming they discovered is as soon as it happened, they could also report that the data was never at large risk, but the report I would think legally would still need to be made.

Exactly. Any non-immediate reporting would be "covering up" a known breach.

scottalanmiller

@BRRABill said:

@Dashrender said:

In this situation if the hospital knew that this employee did in fact download this against company policy.. i think they'd have no choice but to report it, legally. Assuming they discovered is as soon as it happened, they could also report that the data was never at large risk, but the report I would think legally would still need to be made.

It has been my understanding that this is up to the compliance team.

For example, if the drive was lost, but was lost while swimming, it could be assumed the data was lost. Or the laptop is gone, but was destroyed in a fire or something.

I don't see any allowance for that. The breach happened. I think that you are not considering the breach to have happened. By the time that the laptop was lost, we are past the point of the breach and the need to report it. Sure, they might get away with it given the situation, but they are skirting the law and getting away with a breach, not avoiding a breach.

BRRABill

@scottalanmiller said:

4: No Exception to the above.

It said no exceptions apply, not that there were no exceptions to #1-3

Dashrender

@BRRABill said:

@scottalanmiller said:

4: No Exception to the above.

It said no exceptions apply, not that there were no exceptions to #1-3

meaning, assuming not exceptions apply

scottalanmiller

@Dashrender said:

@BRRABill said:

@Dashrender said:

I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

I don't agree with your disagreement.

The employee should NEVER been given access to the data. That would definitely be considered a breach.

This is the problem I was talking about before.

Let's say your a nurse in Chicago, the same hospital that Michael Jordon goes to. other than the hospital putting special locks in place for celebrities, all medical staff in that hospital have access to his records. This is the common approach, and I have yet to see a single place do it differently.

Although any hospital can lock that down. That they choose to expose data in a way that IT would never do is their choice. It's just that medical professionals don't hold themselves to the same standards at their "best" than IT does at "entry point."

The common approach for hospitals is to be insecure, unprofessional and sloppy. Doesn't make it right.

scottalanmiller

@BRRABill said:

@scottalanmiller said:

That's what I am saying, yes. If the hospital secured the data and the end user stole it while having legitimate access that could not be prevented then the OCR could do nothing.

They still need to report the breach and get all sorts of legal, IT, and compliance teams involved though.

And the OCR would still investigate.

And like I said, they better hope they really did indeed secure it.

Why? The issue is the theft, not the security.

Dashrender

@scottalanmiller said:

Although any hospital can lock that down. That they choose to expose data in a way that IT would never do is their choice. It's just that medical professionals don't hold themselves to the same standards at their "best" than IT does at "entry point."

The common approach for hospitals is to be insecure, unprofessional and sloppy. Doesn't make it right.

I'd love to hear an idea of a way to lock this down.

scottalanmiller

@BRRABill said:

@scottalanmiller said:

No, it's stolen. In ANY non HIPAA sense, once a thief has taken the data, it's stolen and is a breach. Maybe HIPAA does a cover up to protect facilities until a breach has become a detriment to an end user. This is just how corrupt the government is that they stop the use of terms like breach to hide that data has been stolen and exposure has happened but "nothing bad" with it has happened, that's just lying. And fine, maybe no HIPAA suit can happen. The facility would still be open to a civil suit, which should be far worse.

I think this was in response to if an employees just stumbles across something they weren't supposed to.

Technically a breach, but not reportable.

Not a full on theft or malicious intent.

But we were talking about an employee stealing data by taking it from a system where it is protected and moving it by their own choice and against policy to an end point where they are not allowed to - committing a theft of the data (even though it is still, at the moment, on potentially hospital owned equipment.) They've committed the theft. Whether they are doing it because they are lazy or plan to sell it, it's a breach of policy, a breach of patient rights, a breach of data, a breach of HIPAA, a breach of trust.

scottalanmiller

@BRRABill said:

@scottalanmiller said:

Exactly. Harm is done once data is exposed. Breach means... breach. The data is no longer controlled by the parties allowed to have access to it.

Technically if anyone sees data they aren't supposed to, it is a breach.

Nurse forgets to lock her workstation, and the food delivery person sees it. Breach.

Yup. that's one by accident, but absolutely.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

Although any hospital can lock that down. That they choose to expose data in a way that IT would never do is their choice. It's just that medical professionals don't hold themselves to the same standards at their "best" than IT does at "entry point."

The common approach for hospitals is to be insecure, unprofessional and sloppy. Doesn't make it right.

I'd love to hear an idea of a way to lock this down.

Same way we do for anything in IT. Think about a ticket system. You only get access to tickets you or your department are working on, not all tickets. Nurses probably can't be locked to a single patient, but they can be easily locked to patients on their floor, under their care, in their department, working with a doctor to whom a nurse is assigned, etc. It's just the concept of least privilege access.

Hospitals, we assume, know who is to work where. It's not a free for all with no oversight. We should know what doctors, nurses and techs should have access to which patients.

BRRABill

@scottalanmiller said:

I don't see any allowance for that. The breach happened. I think that you are not considering the breach to have happened. By the time that the laptop was lost, we are past the point of the breach and the need to report it. Sure, they might get away with it given the situation, but they are skirting the law and getting away with a breach, not avoiding a breach.

Not every breach needs to be reported. That is what legal and compliance teams are for.

For example, the SED. If you lose a laptop that in encrypted to their standards, it is exempt from reporting requirements.

“Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information–that is, the information is not considered ‘unsecured’ in such cases. ” [78 Federal Register 5639] Finally, “[w]e encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance. If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”

BRRABill

@scottalanmiller said:

Why? The issue is the theft, not the security.

Because it is a breach and breaches over 500 records need to be reported, or at least investigated to be reported.

scottalanmiller

@BRRABill said:

@scottalanmiller said:

I don't see any allowance for that. The breach happened. I think that you are not considering the breach to have happened. By the time that the laptop was lost, we are past the point of the breach and the need to report it. Sure, they might get away with it given the situation, but they are skirting the law and getting away with a breach, not avoiding a breach.

Not every breach needs to be reported. That is what legal and compliance teams are for.

For example, the SED. If you lose a laptop that in encrypted to their standards, it is exempt from reporting requirements.

“Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information–that is, the information is not considered ‘unsecured’ in such cases. ” [78 Federal Register 5639] Finally, “[w]e encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance. If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”

I don't agree. If someone has downloaded without permission to the laptop, encryption or not, the data is stolen and out of the hospital's control. You are talking about cases where the data was allowed to be there, we are talking about where "there" is the transfer point of an ongoing theft.

HIPAA might protect you in the case of this and help with a cover up - but your facility is still going to get destroyed by the media if that data gets released and no one will care that the laptop was "encrypted", only that you allowed data to leave the facility.

scottalanmiller

@BRRABill said:

@scottalanmiller said:

Why? The issue is the theft, not the security.

Because it is a breach and breaches over 500 records need to be reported, or at least investigated to be reported.

Yes, but the theft was not related to your security. What's there to investigate? Has nothing to do with IT.

BRRABill

I don't think the breaches comes from doctor and nurses. If you look at the data, it seems to me to be the behind the scenes people.

Look at his. Puch.
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives.

scottalanmiller

We are talking about an employee who has legitimate access to data to do their job and decides to take that data out of your systems and steal it. There is no technical means of preventing this, this is data that the end user was allowed to have and decided to steal. There is nothing to investigate except for the end user.

scottalanmiller

@BRRABill said:

I don't think the breaches comes from doctor and nurses. If you look at the data, it seems to me to be the behind the scenes people.

That's possibly true. Although I know from this past week of nurses violating HIPAA left and right telling patients in facilities about other patients in the same facility.