Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA enforcement policy and procedure.

Direct Accountability

The ARRA amends original legislation and holds business associates accountable by federal and state authorities for failure to comply with any applicable provisions of the HIPAA Privacy and Security Rules. The original Act states that government authorities are unable to hold business associates accountable for failing to comply with their agreements; only covered entities can be held liable for the actions of their business associates in limited circumstances.

Criminal Penalties

ARRA provides important clarification that HIPAA’s criminal penalties can be enforced against individuals. This includes, but is not limited to, employees of a covered entity. This provision essentially overrules a Department of Justice memo issued during the Bush Administration that declared only covered entities could be criminally prosecuted for violations of HIPAA.

ARRA also clarifies that Health and Human Services (HHS) and state attorneys general can pursue a civil HIPAA violation in cases where criminal penalties could be imposed, but the Department of Justice declines to pursue the case. The Secretary is required to formally investigate any complaint where a preliminary investigation of the facts indicates a possible violation due to willful neglect. The Secretary must also impose a civil monetary penalty if a violation is found to constitute willful neglect of the law. The Government Accountability Office (GAO) will need to develop a methodology for individuals affected by HIPAA violations to receive a percentage of any penalty or monetary settlement collected.

There is also a new tiered penalty structure, based on the level of the HIPAA violation, which is capped at $50,000 per violation and an annual maximum of $1.5 million.

Enforcement by State Attorneys General & Secretary Auditing

There are a number of states that authorize their attorneys general to enforce federal consumer protection laws, which include HIPAA. ARRA expressly authorizes all state attorneys general to enforce HIPAA in federal district court. This means that attorneys general in all states are able to enforce the law, even if no state authorizing statue exists. Penalties imposed in such situations are limited to former statutory minimum set by the HIPAA: $100 per violation and $25,000 annually for repeat violations of the same provision.

The Secretary has the right to intervene in the application of this provision where necessary. The ARRA also requires the Secretary to perform periodic audits to ensure compliance with the new provisions.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA enforcement.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

Defining IAM

IAM is comprised of two functions: Identity Management (IdM) and Access Management. IdM is the business processes and supporting infrastructure for the creation, maintenance and use of digital identities. The key components of IdM can be summarized in four concise questions:

1. Who are you? (identification)
2. How do we know? (authentication)
3. What services and/or transactions are available to you? (authorization)
4. Is the information about you secure? (privacy)

Access Management refers to the process of control regarding to whom and when access is granted to internal/external parties, data repositories. It includes access for the retrieval of data and making changes to data.

The IAM Process

An IAM infrastructure must address the requirements of managing a users’ identity over its entire lifecycle, in alignment with business objectives, policies and relevant regulations. The IAM process is as follows:

• Registration and Creation – This is the first step of the identity lifecycle and involves the creation of the identity as well as the attributes that determine its privileges. A registration function should be integrated as part of the IAM process.
• Propagation – This involves registration of customers, vendors and business partners. This stage requires the development of processes for registering external users.
• Maintenance/Management – Application capabilities and entitlements need to change to reflect the evolution of identity attributes. Once an identity has been registered and propagated, there must be ongoing maintenance and management processes in place.
• Suspension /Deletion – Organizations may choose to implement a provisioning component to allow user provisioning to suspend, rather than delete, an identity and its associated privileges.  This identity should be archived for later access, auditing, or other security requirements.
• Termination – There must be an established termination process to end the identity information lifecycle. Typically, such processes are driven by security policies that determine an acceptable limit for the amount of time that passes after users are deleted and when their access to applications systems are shut off.

IAM Services

IAM services refer to a new information infrastructure that exhibit several key characteristics, as outlined below:

• IAM services integrate all pertinent information about individuals from multiple authoritative source systems (e.g. email, voicemail, human resources systems, electronic portfolios, local area networks, etc.). This brings together accounts in disparate systems and joins the different identities together as a unique identity.
• IAM services process and transform information about individuals and allows the information to be stored in a way that is useful to applications.
• IAM services can function as a focus for implementation of policies regarding visibility and privacy of identity information and entitlement policies across various systems.

Why use IAM Services?

There are a number of advantages to using IAM services, as they make the existing services more convenient and development of new services may be simpler to achieve. Other advantages to implementing an IAM system include:

• Reduced overhead for service management – An IAM system would simplify the authentication model, since applications would use the same shared identity and access infrastructure. This consolidated system would reduce the staff and overhead required to manage each application.
• Increased security – Security and privacy issues are coming into public focus more and more. In response, regulatory requirements have become stricter. Consolidation of identity and access services can ensure that related policies can be supported in one location by the same staff.
• Simplified network and online service access – Consolidation of authentication processes can facilitate unified identity verification for a variety of online services. This means that users would need to provide a reduced set of credentials (i.e. user ID/password), simplifying service delivery and problem resolution.
• Legal pressures – Various institutions are required to restrict access to sensitive records under a number of legislations, including the HIPAA (Health Insurance Portability and Accountability Act); the GLBA (Gramm-Leach-Bliley Act); and the FERPA (Family Educational Rights and Privacy Act).
• Business and ethical stewardship – Organizations have the responsibility to safeguard confidential information, intellectual property and other strategic information. This means that they must ensure appropriate access to sensitive information and are obliged to protect information that can be misused.

Summary

IAM systems have evolved significantly over the last fifty years. Their range of functions have increased and IAM services now boast numerous advantages. This article defines IAM systems and takes a look at the functions and components of IAM services.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Identity and Access Management (VI.F.)
• Organizational Practices (II.A.b.)

Credit Card Fraud in Context

The following high-profile cases of credit card fraud underscore the need for security practices, such as the PCI DSS:

–                    February 2005: Bank of America loses of 1.2 million customer records, although there was no evidence that the records had come into the wrong hands.

–                    June 2005: Merchant payment-processing provider, CardSystems, is sued for failing to provide adequate protections for the personal information of over 40 million customers.

–                    February 2006: Approximately 400,000 debit card accounts were disclosed by retail merchants.

–                    January 2007: A MoneyGram (a payment service provider) server was unlawfully accessed, revealing the names, addresses, phone numbers and bank account numbers of some 79,000 customers.

–                    January 2007: The credit/debit card numbers of over 45 million customers was stolen from the TJX IT system.

What is PCI DSS?

In 2004, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International created the Payment Card Industry (PCI) data security framework. Before developing this standard, each company had a proprietary set of information security requirements, which presented a challenge to participants in multiple brand networks. The uniform set of information security requirements they developed became known as the PCI Data Security Standard (PCI DSS), which applies to all payment channels: retail, mail orders, phone orders and e-commerce.

PCI DSS is comprised of twelve security requirements (aka the “digital dozen”), which are as follows:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software/programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for employees and contractors.

Compliance with PCI DSS

Compliance with PCI DSS is becoming more and more important for businesses of all sizes. Demonstrating compliance with the standard proves to customers that an organization has secure systems that can be trusted with their sensitive payment card information. As a result, customers are more likely to build trust in the brand, become repeat customers and recommend the business to others. Compliance with PCI DSS can also develop a business’ reputation with acquirers and payment brands. It can also make other compliance processes easier (e.g. with HIPAA, SOX, etc.).

There are three main stages of compliance:

1. Collecting and Storing – This involves the secure collection and tamper-proof storage of log data so that it is available for analysis.
2. Reporting – This is the ability to prove compliance should an audit arise. The organization should also show evidence that data protection controls are in place.
3. Monitoring and Alerting – This involves implementing systems to enable administrators to monitor access and usage of data. There should also be evidence that log data is being collected and stored.

Non-Compliance

There are numerous negative consequences of non-compliance with the PCI DSS. Compromised payment card data has negative outcomes for consumers, merchants and financial institutions. Compromised data can damage an organization’s brand reputation. Breaches of account data can result in loss of sales, relationships, diminished community standing and decreased share prices, for publicly traded companies.

Other negative consequences of non-compliance may also include:

–                    Lawsuits

–                    Cancelled accounts

–                    Payment card issuer fines (which could amount up to $500,000 per incident)

–                    Government fines

–                    Insurance claims

–                    Loss of ability to process payment card transactions

PCI DSS in Canada

PCI DSS has been a major driving force for Canadian businesses in improving their IT security systems. As a globally-recognized set of mandatory security practices, PCI DSS to any Canadian company, organization or government department that engages in the storage, processing or transmission of payment card information. As the twelve steps involved in PCI compliance form the foundation for general IT security frameworks, it may be a good starting point for a variety of organizations.

According to IBM Canada security architect Gary McIntyre, “Canadian firms that failed to achieve PCI compliance would not likely get disconnected from the card networks, but they would face stringent financial penalties from Visa or MasterCard.”

Summary

This article explores the PCI DSS (Payment Card Industry Data Security Standard), developed in 2004 by a number of stakeholders in the payment card industry. The PCI DSS is comprised of twelve security requirements, which are referred to as the “digital dozen.” The article discusses the advantages of compliance, as well as the necessary stages to achieve compliance with the PCI DSS. Finally, the article looks at the PCI DSS from an international standpoint, introducing the adoption of the standard in Canada.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

–                    Industry Consortia Security Frameworks (V.B.iv.)

–                    PCI DSS (V.B.iv.1.)

In Brief

The report, entitled the Benchmark Study on Patient Privacy and Data Security, was published by the Ponemon Institute and ID Experts in November 2010. The study was based on findings from 65 health care organizations (mainly hospitals) and included an examination of each organization’s privacy and data protection compliance activities; policies; program management activities; security technologies; security governance practices; and compliance with the mandates of the HITECH Act of 2009.

The major findings of the report are briefly outlined below:

• Data breaches cost the US health care system billions of dollars each year. The study revealed that the economic impact of data breach incidents amounted to over $2 million, over a two-year period.
• The majority of health care organizations have undetected patient data breaches. Organizations participating in the study reported they had inadequate resources (71%); few appropriately trained personnel (52%); and insufficient policies and procedures in place (69%) that could quickly and effectively prevent/detect patient data loss. It was shown that data breaches went undetected due to the lack of preparation and staffing.
• Patient data protection is not a priority in health care organizations. 70% of hospitals participating in the study responded that protecting patient data was not one of their top priorities. 67% of the organizations hired less than two staff members dedicated to data protection management. At many organizations, the patients were the first to detect a disturbingly high number of breaches (41%). This means that sensitive data was being unknowingly exposed until the individuals detected the breach.
• Despite recently-enacted federal regulations, the security of patient records has not improved. Acts supporting the privacy security of medical information, such as the HITECH Act of 2009 and the HIPAA of 1996 have not resulted in stronger safeguards for patient data. According to the study, 71% of respondents did not believe that these federal regulations have sufficiently improved the management of patient records.

What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was enacted as part of the American Recovery and Reinvestment Act of 2009. It was designed to address privacy and security concerns regarding the electronic transmission of health information. With the HITECH Act, starting in 2011, a physician is eligible to receive up to $44,000 in incentives for “meaningful use” of an electronic health record (EHR).

The HITECH Act also extended the Privacy and Security Provisions of the HIPAA to business associates of covered entities, which include criminal and civil penalties. The Act imposes new breach notification requirements on the following entities:

• Covered entities
• Business associates
• Vendors of personal health records
• Related entities

Finally, the HITECH Act implements rules regarding disclosures of a patient’s health information. Disclosures include information that is used for treatment, payment and health care operations when the health care provider is using an EHR.

Moving to EHR

The majority of respondents in the Ponemon study believed that making the switch to electronic health records (EHR) would make patient data more secure. EHRs are longitudinal electronic records of patients’ health information. They are both generated and maintained within a health care institution, such as a hospital, integrated delivery network, clinic or physician’s office.

Such records would include:

• Progress notes
• Patient’s demographics
• Past medical history
• Immunizations
• Health Problems
• Medications
• Vital signs
• Laboratory data
• Radiology reports

Proponents argue that implementation of EHR processes and systems will help to provide additional functionality (e.g. interactive alerts, interactive flow sheets, tailored order sets), which may not be possible with traditional, paper-based systems. Other major benefits of EHRs include:

• Reduction in medical error
• Improved accuracy/clarity of records
• Increased availability of health information
• Reduced delays in treatment times
• Less duplication of tests
• Better-informed patients

According to a recent study conducted by researchers at the Stanford University School of Medicine, EHRs did little to improve the quality of health care. This was based on data from almost 250,000 patient visits, between 2005 and 2007. Although the federal government’s American Reinvestment and Recovery Act of 2009 allotted $19.2 billion for health information technology, specifically for the adoption of EHRs, there has not yet been evidence of positive impact.

Summary

The article takes a look at the 2010 Benchmark Study on Patient Privacy and Data Security, conducted by the Ponemon Institute. The study revealed that data breaches were costing hospitals across the US up to $6 billion each year. Breaches of patient information are largely undetected by the organization, due to lack of priority, resources, preparation and staffing for privacy and security management. The article then examines the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), passed in 2009 to strengthen privacy and security safeguards for health information. One contentious issue is the adoption of electronic health records (EHRs). Although the federal government has created economic incentives for the implementation of EHR systems, researchers have found them ineffective at improving the quality of health care.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Regulatory Authorities – Department of Health and Human Service (HHS) (I.A.c.iv.)
• Health Insurance Portability and Accountability Act of 1996 (I.B.a.v.2.)
• Criminal and Civil Liability (II.B.a.)

This article looks at the processes of de-identification, or anonymization of personal information. It also examines how developments in re-identification can use anonymous information to identify individuals, underscoring the shortcomings of anonymization processes.

De-Identification

De-identification refers to the process in which sensitive data is treated in such a way that the individual cannot be identified. For instance, the de-identification of data may remove specified identifiers. Depending on the legislation, there may be different criteria for de-identification of data.

There are numerous reasons for de-identifying data. The de-identified, or anonymized, data allows important information to be accessed and analyzed, while still protecting the privacy of individuals. This win-win compromise allows analysts to use this information, while preventing identity thieves and other unauthorized entities from identifying the individuals.

Data mining companies will often gather personal information from dentists, doctors, nurses or pharmacists. For instance, prescription information will be collected and later sold to private interests, such as pharmaceuticals or research organizations. The information is then analyzed for trends or patterns in the prescriptions. Data mining companies argue that since the information they collect is de-identified, there is no risk of compromising individual’s sensitive information or revealing his/her identity.

According to the HIPAA (Health Insurance Portability and Accountability Act), there are two methods for de-identifying information. One option is to consult a qualified statistical expert regarding the risk of identifying the individual. This expert would be able to de-identify the data by applying methods to determine the risk that the information may be used to identify an individual, whether used alone or in combination with other information.

The other method is to remove eighteen specified identifiers. This ensures that there is no identifying information in the data. These identifiers are as follows:

1. Name
2. Geographic categories smaller than a state
3. Dates (except for the year) that is related to an individual. This may include data of birth, death, admission, discharge, etc.
4. Telephone numbers
5. Fax number
6. E-mail address
7. Social security number (SSN)
8. Medical record number
9. Health plan beneficiary number
10. Account numbers
11. Certificate or license numbers
12. Vehicle identifiers (e.g. serial numbers, license plates)
13. Device identifiers
14. Web URLs
15. IP addresses
16. Biometric identifiers (e.g. finger print, voice print)
17. Full-face photos
18. Any other unique identifying number, code or characteristic

Re-Identification

The process of re-identification matches de-identified, or anonymized, personal information back to the individual. Re-identification brings to light some of the shortcomings of anonymization, since the goal of anonymization is to ensure that any personally identifying information is removed, without compromising the utility of the data.

Computer scientists have found that once de-identified data can easily be re-identified. This raises a host of issues for organizations dealing with “anonymized” data. Currently, organizations do not have privacy obligations when working with anonymized data. However, if the data can easily be made personally identifiable, critics argue that privacy safeguards should be put in place.

Trail Re-Identification

Originally, re-identification refers to using data from a single entity holding the data. Recent research has looked at the concept of trail re-identification, which studies a trail of anonymous, homogenous data from a number of different locations. Looking at how the different data intersects can reveal personal, identifying information about the individual.

One example of trail re-identification is of online shoppers, who may visit a number of different websites before making a purchase. However, the IP addresses of their computers are recorded at each website they visit. Combining the visit logs with the customer lists may successfully identify individuals.

An identity thief may be able to reconstruct trails from data distributed over a number of locations. By pairing identified entities with their anonymized data, an adversary may be able to re-identify the individual through the process of trail matching. This form of identity attack is dependent on how the data is collected and to what extent it is collected. For instance, important information may include the fact that anonymous data is collected along with identified data, and if this data is complete or incomplete.

Examples of Re-identification

The following examples illustrate some failures of anonymization, in which individuals’ privacy could no longer be protected in light of the developments in re-identification processes. Although the harm done to the individuals was relatively limited, these examples point to how the process of re-identification can be used in more dangerous ways.

The introduction of this article cites Latanya Sweeney’s 2006 research in which 87% of people in the United States can be identified by combining their ZIP code, birth date and sex. Sweeney’s research also found that other types of information can also re-identify people. For instance, 53% of US citizens can be identified by their city, birth date and sex, while 18% of citizens can be identified by their county, birth date and sex.

In August of 2006, America Online (AOL) publicly posted 20 million search queries for 650,000 AOL search engine users. These queries summed up three months of activity. Before the data was released, AOL anonymized it by removing identifying information, such as the username and IP address. However, these identifiers were replaced with unique identification numbers, so that researchers could still make use of the data. Due to the nature of the personal information revealed, AOL was criticized for the move. Even though the data was anonymized before the release, within a relatively short time, journalists were able to trace user queries to specific individuals.

In October 2006, Netflix, an online movie rental service, publicly released 100 million records regarding how its users had rated movies over the period of time from December 1999 to December 2005. The records showed the movie, the rating the user had given and the date the user had rated the movie. While identifying usernames had been removed, each user was given a unique identifying number.

Two weeks after the data was released, researchers from the University of Texas found that it was relatively easy to re-identify the individuals in the Netflix database and find out all of the movies that the individual had rated. According to the research, using only six movie ratings, one could identify the individual 84% of the time. With the six movie ratings and the approximate date of the ratings, one could identify the individual 99% of the time.

A 2009 study carried out by Alessandro Acquisti and Ralph Gross showed that SSNs can be predicted when combined with an individual’s date of birth and his/her geographic location. Using the publicly available records in the Social Security Administration’s Death Master File (DMF), Acquisti and Gross looked for trends in SSNs of reported deaths. The researchers found there was a strong correlation between an individual’s birth data and the digits in their SSN. This raises a serious concern for individuals whose birth dates are publicly known, whether through voter registration lists, social networking profiles or other sources.

Protecting Privacy

There are a number of different privacy models that have been developed in order to address the issue of re-identification. Some methods include:

• Access control: This is the traditional model for safeguarding individuals’ privacy. It is also referred to as query restriction, which associates certain data to a given request in a multi-level relational database.
• Statistical disclosure control: This method includes a wide variety of techniques, including suppression, noise addition, perturbing records of a collection. Statistical disclosure control prevents the receiver of the data from inferring identities of the individuals.
• Computational disclosure control: This model prevents the formation of direct connections from unidentified data to identifiable data. With computational disclosure control, records appear identical through generalization and suppression of attributes.
• Algorithms: This model has been promoted most by the data mining industry to preserve the privacy of individuals.

Legislation must be able to respond to the shortcomings of anonymization as well. Critics have pointed out that if the process of de-identification is ineffective, then so-called privacy protecting laws may be severely eroded. According to the HIPAA, the handling of health records that have been anonymized is not regulated. There are no regulations for such data, since it is supposedly protected. Given the many examples of unintended re-identification, critics have argued that de-identification alone is an insufficient privacy safeguard.

Summary

This article examines the reasons for and methods of de-identification, in which personal data is anonymized. It then looks at developments in re-identification of data, which links the personal information back to the individual. Several examples of re-identification of data are given, which raise the issue that anonymization is insufficient for safeguarding individuals’ privacy. Finally, the article presents privacy protection methods for addressing the issue of re-identification.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Data de-identification and minimization (III.B.a.)
• Degrees of identification (III.B.a.iv.)
• De-identification and re-identification (III.B.iv.2.)

Following reports of improper disposal of personal health information (PHI) the OCR launched an investigation into the information practices of CVS Entities in September 2007. Their review found the following:

• Between July 2006 and May 2007 some retail CVS stores placed paper records containing personal health information in open dumpsters where they could be accessed by unauthorized individuals.
• The policies and procedures of CVS Entities prior to November 2006 were not adequate to ensure the security of PHI
• CVS did not have the appropriate administrative safeguards in place, such as disciplinary action or sanctions policies for members violating privacy and security policies
• Between April 2003 and November 2006, the training given to employees regarding compliance with the Privacy Rule of HIPAA was insufficient to ensure proper destruction of PHI

In January 2009 a resolution agreement was reached with the following terms:

• Each CVS entity must designate a Compliance Representative that is familiar with the Privacy Rule in order to ensure compliance with HIPAA and the Corrective Action Plan required by the agreement. The Compliance Representative is in charge of designing or improving policies, procedures, training and internal controls.
• CVS must pay the Department of Health and Human Services $2,250,000 in penalties
• CVS Entities must agree to implement the Corrective Action Plan outlined in the Resolution Agreement

The Corrective Action Plan (CAP) for CVS entities involved a number of changes in oversight, policy and training to ensure the adequate protection of PHI. Oversight of implementation of the CAP lasts three years from the effective date of the agreement.

The CAP required the following:

Policies

• Development, Improvement and maintenance of privacy policies and procedures that comply with the Privacy Rule of HIPAA and any other relevant privacy regulations
• CVS Entities must submit revised policies within 90 days of the agreement and implement the policies within 60 days of OCR approval
• Policies and procedures must be reviewed annually by the Compliance Representative
• Physical and Administrative safeguards to allow the proper disposal of PHI must be implemented

Employee Policies and Training

• All employees accessing personal health information must receive a copy of the new policies and sign a written agreement saying they understand and agree to abide by the Privacy Rule
• Employees that fail to comply with the Privacy Rule must receive disciplinary action
• Employees that have access to PHI must receive training appropriate to their level of access regarding proper handling of PHI, including its disposal, as well as the sanctions policies for non-compliance. Training should take place within 30 days of employment. Employees are prohibited from handling PHI before completing their privacy training
• A written or electronic account of employee training must be made available to the Office of Civil Right for inspection
• Employees must verify in writing that they have received training and certification must be submitted to the relevant CVS entity within 10 days of certification
• Training material must be reviewed annually by the Compliance Representative

Enforcement

• CVS Entities must develop procedures for internal monitoring of compliance to be approved by the OCR
• CVS Entities will use a third party assessor to conduct evaluations of compliance with the Privacy Rule and the CAP. The Assessor must file reports with the OCR and Compliance Representative periodically
• The Assessor, Compliance Representative and all CVS Entities must maintain all paper’s related to the Assessor’s reports for inspection upon request by the OCR
• CVS entities must develop and internal reporting procedure for approval by the OCR which requires employees to report violations of the CAP to the Compliance Representative as soon as they become aware of the problem
• Upon receiving an internal report, the Compliance Representative must investigate the problem immediately
• If the investigation determines that a violation has occurred a written report describing the violation and the actions taken by the CVS entity must be submitted to the Assessor and the OCR

Reporting

Within 150 days of OCR approval of the policies and procedures, the Compliance Representative will file an Implementation Report that includes the following information:

• A written attestation from the Compliance Representative stating that CVS is in full compliance with the Privacy Rule and the CAP to the best of their knowledge
• A written attestation from the Compliance Representative stating that the workforce with access to PHI have received their initial privacy training certification
• A copy of all training materials and a summary of the training program including length, topics and schedules
• A written attestation from the Compliance Representative with the contact information for all locations and retail pharmacies stating that all locations are compliant with the CAP within the best of their knowledge
• A written attestation from the Compliance Representative stating they have reviewed the Implementation Report and believe the evaluation to be accurate

Periodic reports must also be filed once a year to allow ongoing oversight. The periodic reports require similar information regarding training materials and compliance officer attestations. They also require a summary of all engagement between CVS Entities and the Assessor (ie: financial audits, compliance program engagements) and a summary of   any compliance violations committed by a workforce employee. Furthermore, CVS is responsible for maintaining all documents related to the CAP for six years.

Significance of the CVS Enforcement Case

The CVS enforcement case reinforced several important privacy issues:

• All employees handling PHI must receive the proper training in their privacy obligations under HIPAA and other privacy laws. Furthermore they must be held accountable for any violations that occur
• Data destruction requires as much attention to privacy concerns as data in other parts of the data life cycle.
• Though most individuals PHI was not compromised through CVS’s improper disposal of data, it is the potential for such unauthorized use, access, or disclosure which is the real problem being addressed in the Corrective Action Plan.

In Conclusion:

The U.S. Government is serious about HIPAA enforcement. Entities handling PII must take the necessary steps to ensure compliance or be faced with much stronger requirements, oversight and costs.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• HIPAA (I.B.a.i)

HIPAA legislation is divided between two rules: the Privacy Rule and the Security Rule. The Privacy Rule of HIPAA involves the privacy of protected health information (PHI). Among the protections it provides are the right to access and amend medical records, the right to consent to PHI disclosure, the right to notice of a covered entity’s privacy practices, as well as the safeguarding and limited disclosure of PHI. Enforcement of the Privacy Rule ensures that such rights are protected.

How Does the OCR Enforce the Privacy Rule?

The Office of Civil Rights enforces the Privacy Rule through several methods:

• Investigating complaints filed with the OCR
• Conducting compliance reviews of covered entities
• Creating programs for education and outreach

The most common method of enforcement is the investigation of complaints.

How Does the OCR Investigate Complaints?

All complaints filed with the OCR go through an Intake and Review process. If the complaint meet the following criteria, the complaint moves on to the investigation stage:

• The alleged violation occurred after the effective dates of the Privacy or Security Rule.
• The entity against whom the complaint is filed must be considered a covered entity
• The alleged complaint must be an activity that would violate the Privacy or Security Rule.
• The Complaint must be filed within 180 days of when then person submitting the complaint became aware of the violation.

If the complaint does not meet all of the above criteria, than no violation of HIPAA is considered to have occurred. If the complaint does meet all of the above criteria, an investigation is launched to determine the veracity of the complaint.

If the complaint involves a possible criminal violation, the investigation is handled by the Department of Justice. If the complaint only involves Privacy or Security Rule violations, it is investigated by the OCR. Depending on the results of the OCR investigation:

• No violation may be found
• A violation may be found and voluntary compliance, or corrective action is taken
• A formal finding of violation from the OCR is issued

Enforcement Statistics

The Number of HIPAA complaints has increased each year since its institution. In 2008, the OCR received almost 10,000 complaints. On average, around two-thirds of alleged complaints are determined to be violations and resolution action is taken. One-third of alleged complaints either do not meet the criteria to warrant an investigation or the investigation determined that no violation had occurred.

On average the top five complaints filed every year involve:

1. Impermissible uses and disclosures
2. Safeguards
3. Access
4. More PHI is collected or used than the minimum necessary
5. Improper authorization for disclosure

On average, the top five covered entities that have been found to be in violation of the Privacy Rule include:

1. Private Practices
2. General Hospitals
3. Outpatient Facilities
4. Health Plans
5. Pharmacies

Summary:

The OCR is committed to HIPAA enforcement. All complaints filed with the OCR are reviewed and may be subject to investigation if a violation is suspected. Depending on the severity of the violation, the OCR may need to take enforcement action against an entity to ensure compliance. Such enforcement is costly to both the entity, the U.S. Government and its citizens, so covered entities should review their practices and policies to correct any potential compliance violations.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• HIPAA (I.B.a.i)

What is Protected Health Information?

Protected Health Information is any personally identifiable health information communicated in any form–oral, paper or electronic–that is maintained by a covered entity as defined by HIPAA (see below.) Personally identifiable health information may include a person’s age, gender and other demographic information as well as information about their diagnosis; prognosis; their past, present or future medical health or conditions; and payment for the provision of past, present or future medical care. Any information that may potentially identify an individual personally is considered to be protected health information (PHI.)

Who Must Comply With HIPAA?

In general any entity that handles protected health information must comply with HIPAA regulations. However, the law specifically mentions the following all of which are considered “covered entities” :

• Health Care Providers – All hospitals, doctors, nurses, health care workers and any other healthcare service providers
• Health Plans– Medicare and Medicaid; private insurance companies; group health plans
• Business Associates– Any third part that may handle protected health information as a service, such as billing, data analysis, data aggregation, etc.

The Privacy Rule

The HIPAA Privacy rule attempts to strike a balance between the need for disclosure among health care professionals to ensure quality care, payment and  maintain public security, while still protecting the identity and personal health information of the patient.

Under the Privacy Rule a patient has the right to:

• Notice of a covered entity’s privacy practices which include the type of information collected and its intended use.
• Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information.
• Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records.
• Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy.
• Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient’s information.

Exceptions to the Privacy Rule

The Privacy Rule makes provisions for the disclosure of protected health information without the limitations outlined above for the following situations:

• Information needed for public health activities and safety
• In coordination with law enforcement of judicial activities and proceedings
• Certain research purposes
• Special Government functions

The Security Rule

HIPAA’s Security Rule deals specifically with the protection of personal health information in its electronic form, which includes data stored on computer hard drives and magnetic or digital storage devices.

The Security Rule requires that covered entities take reasonable measures to:

• Ensure the confidentiality, integrity, and availability of electronic health information
• Protect against the unauthorized access, use or disclosure of protected health information.
• Enforce HIPAA compliance in the work force.

Further more the Security Rule requires:

• The creation of an individual entity to be responsible for implementing and enforcing the Security Rule
• Initial and periodic risk assessments to determine the efficacy of current safeguards, evaluate new threats and implement the necessary protections to maintain the confidentiality and integrity of the data.
• The creation of an ongoing training program to educate the workforce on complying with the Security Rule
• The Covered entity to incorporate the Security Rule into Business Associate Contracts to ensure that all business associates maintain an equivalent level of protection.

Summary:

The Health Care Portability and Accountability Act plays a significant role in the protection of the privacy of health information. HIPAA is a complex and far reaching law which pertains all professionals involved in the health care field. Education in HIPAA compliance must be ongoing, and compliance closely monitored to ensure the protection of health information.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including HIPAA (I.A.b.i.)

What are Online Assurance Programs?

Online assurance programs are a broader term for a number of organizations and associations that have created a set of privacy standards that all of its members or clients have agreed to abide by. These programs allow self-regulation of privacy. By becoming a member of a consumer protection association or participating in a trust seal program, businesses build consumer confidence and increase consumer traffic, theoretically pushing companies without privacy guarantees out of business.

Online assurance programs often also provide dispute resolution services to businesses participating in their program. Should a customer file a privacy complaint against them, by law, a business is required to investigate the complaint. Dispute resolution services provide consumers with an impartial third party to investigate privacy disputes and provide businesses, who otherwise might not have the means, to investigate disputes using privacy professionals.

Examples of Online Assurance Programs Around the World

TRUSTe

TRUSTe was the first and continues to be the largest web privacy seal organization. It provides assurance seals for web privacy, email privacy, EU Safe Harbor compliance and COPPA compliance. All participants are required to follow TRUSTe’s privacy standards. To participate, businesses sign a contract with TRUSTe who then conducts an investigation into the website’s privacy policies and technology. TRUSTe makes recommendations and once the suggestions are implemented the company receives the TRUSTe seal.  Participants continue to be monitored through dispute resolution and periodic scanning. TRUSTe also maintains a directory of trusted sites for consumer access and use.

BBBonline

BBBonline is an extension of the Better Business Bureau Organization, which was founded in 1912 to promote fair marketing practices and build trust among buyers and sellers. In addition to safeguarding privacy, business accreditted with BBBonline must follow a code of business practices. These include promises to build trust, advertise honestly, tell the truth, honor promises, be responsive and transparent, and embody integrity.

Network Advertising Initiative

NAI is a cooperative agreement between online marketing and analytics companies to build consumer awareness and implement and abide by effective privacy practices. One of the most significant features of the NAI is their Opt Out of Behavioral Advertising tool which tells a user which of its members have placed cookie files on their hard drive and allows them to change their consent options according to their preferences. Users will still see online advertising on websites, but by opting out, the companies involved in the Network Advertising Initiative will no longer collect information about a user’s web activity to create tailored advertising.

US Direct Marketing Association

The Direct Marketing Association is a group of trade organizations which promote direct marketing to consumers. Though the DMA’s purpose is to increase the use and efficacy of direct marketing, which includes the use of spam and unsolicited marketing messages, the DMA also promotes fair marketing practices and consumer awareness programs including consumer preference services such as DMAchoice, telephone and fax preference services, which provide consumers with consent options with regard to marketing messages.

The Japanese Information Processing Development Cooperation

JIPDEC was created to develop IT technologies and policies. Recently it has been a major contributor to the development of Japan’s information privacys law and the development of the the Privacy Mark System which functions similarly to a privacy seal program. In the Privacy Mark System, third-parties evaluate a business’s compliance with Japan’s data protection laws and any problems are rectified before a business may display the PrivacyMark.

Health Information Trust Alliance

The HITRUST is a collaboration between healthcare, business and technology organizations to help manage personal health information and use IT effectively to comply with HIPAA and HITECH regulations. HITRUST created a common security framework which helps organizations implement information security according to the information they handle and the associated regulations. The common security framework is free to use. Unlike other organizations HITRUST does not require compliance with a set of practices or codes, but does promote protection of information by helping companies understand privacy law and develop effective, relevant information security and privacy practices.

European Privacy Seal

EuroPriSe is the European equivalent of trust seal programs. EuroPriSe was developed out of a desire to have independent regulation of data protection in addition to government regulation. To obtain a privacy seal, independent privacy experts conduct an investigation. The government accredited certification body evaluates the report for compliance with the Data Protection Directive and other European privacy laws. If found to be compliant, the IT product or service is given the European Privacy Seal. EuroPriSe does not provide dispute resolution services since data protection complaints are handled under the Data Protection Directive.

Summary

The number one objective of online assurance programs is to build trust with consumers. Whether an organization oversees compliance through the use of privacy seals or use cooperative agreements to comply with a set of standards, businesses are making privacy an important feature in building strong, effective, long-standing relationships with customers.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Online Assurance including trust seal, dispute resolution programs and self regulatory frameworks. (III.B.l.i-iii.)

If asked to identify the point in the information lifecycle in which data is often most vulnerable, most people would not say “Destruction.” Destruction itself is a simple concept. After personal data or technology storing personal data is no longer useful it is discarded.  However, completely erasing data from existence is not that easy. Computer files are particularly difficult to destroy. Furthermore, with the increasing use of cloud computing services, more and more personal data is being stored on third party servers, where the information controller has to trust their provider to remove the information when requested. Control over the deletion and destruction of data is taken out of the data controller and the data subject’s hands.

The problems associated with proper disposal, make it so that the destruction of data is one of the times personal information is most likely to be at risk for unauthorized access. Because of this, data destruction remains an important privacy issue discussed among professionals in the industry today.

Why is Data Destroyed?

Data Destruction is a necessary and important part of the information life cycle. Deleting data from a server frees space on the hard drive for other data that may be more pertinent to business operations. Destroying untimely data also helps limit the extent of a breach should unauthorized access occur.

The Fair Information Practice Principles include regulations regarding the limits and uses of collected data. Once data is collected, the data controller is restricted to using it for purposes related to the reasons for which it was originally collected. Data that is outdated or no longer useful is destroyed. Data destruction may also occur after transferring data to new technologies and discarding the old ones. Data, especially that has been hosted with a cloud computing service, may also be deleted at request of the data subject or data controller.

How Do Data Breaches from Improper Destruction Occur?

Today, data usually takes two forms: electronic and paper. Paper files containing personal information are a frequent cause of data breaches due to carelessness. Unclaimed copies, faxes and other paper files are often thrown into recycling bins or the trash with little thought as to the personal information that may contain. This leaves personal information vulnerable to dumpster divers that sort through trash looking for information that may allow them to commit fraud.

Another common way that deleted data may be accessed is through the improper disposal of computers and other electronic equipment with the ability to store data. Sending files to the recycle bin or hitting the delete key does not actually erase a file from existence. What it does is remove the link from the file directory while a copy of the file still remains until it is written over by other files. Some operating systems support software which allows undeletion so that files have been previously deleted can be restored. Computer hard drives, USB drives, cell phones and other related products are all susceptible to data breaches if they are recovered by dumpster divers or through computer recycling programs and their hard drives have not been overwritten, encrypted or physically destroyed.

Cloud computing has improved the interactivity and productivity of businesses and individuals but it has also increased the potential for the unauthorized access of information. When a company or individual stores personal information with a cloud computing service be it a Payroll Account Servicer or Facebook, they are trusting that servicer to protect and eventually delete their information when requested. However, it may be days, weeks or even months before that information is deleted. Furthermore, placing information in the cloud allows more individuals, that are not under the control or supervision of the data subject or the data controller to have access to personal information, laying the ground for misuse of information.

Data breaches are a serious occurrence  and take place on a regular basis due to carelessness and general ignorance of the danger that improperly disposed data may pose.

How Should Data Be Disposed?

While different regulations may call for various means of protecting data, there are a number of commonly accepted ways for individuals and businesses to properly dispose of in both paper and electronic forms.

Physical Destruction:

1. Shredding- the most commonly used form of destruction in homes and small business in which paper is cut into small pieces to make the information harder to reassemble. Cross-cut shredders are more effective than length wise only shredders which may be reassembled into usable data with a minimal amount of work.
2. Incineration- Paper and/or electronic equipment may be burned to make it unreadable. While the destruction is effective there is a large debate concerning its impact on the environment.
3. Pulverization- Uses high pressure to crush objects into unusable forms. Like incineration it is effective in protecting data, but poses environmental problems as the chemicals and products used in computers and paper degrade in landfills.

Electronic Destruction:

1. Overwriting- Involves writing over data files with files containing junk information. The more times a file is overwritten the more securely it is protected from possible recovery. Overwriting is not 100% effective, however it is a common tool that is available on all computers to protect data.
2. Encryption- Involves the use of private and public cipher keys to code data using algorithms. Only users with the correct key can decode the data to readable form. The HITECH act is considering using encryption as the exclusive method of data destruction.
3. Degaussing- Involves realigning the magnetic fields of devices which use magnetization to store data such as hard drives, magnetic tapes and audio cassettes.

What are the U.S. Federal Regulations Regarding Data Disposal?

There are number of different regulations in place in the United States that deal with the proper disposal of personal information. These are often incorporated into the various laws regulating privacy in different sectors and industries.

The Fair and Accurate Credit Transactions Act

In 2003, the the Fair and Accurate Credit Transaction Act was passed as an amendment to the Fair Credit Reporting Act, both which deal with the protection of personal information in consumer reports. FACTA includes a disposal rule for the protection of information contained in consumer reports by any entity which may use such information for business functions. Such entities may include landlords, employers, automobile dealers, debt collectors and financial institutions. The law requires such entities take take reasonable measures to destroy consumer reports including the physical and electronic destruction of data to make it unreadable. It also calls for independent audits to determine an entity’s compliance with the disposal rule.

The Gramm-Leach-Bliley Act

In 1999, the Gramm-Leach-Bliley Act was passed to protect personally identifiable information used by financial institutions. It includes a Safeguards Rule which requires financial institutions to designate a coordinator of their information safety program. It also requires extensive routine risk assessments of the physical, technical and administrative safeguards to determine the threat of internal or external abuse of personal information. The proper disposal of data is included in such risk assessments.

The law sets up for the proper protection of data against security risk, but like many information privacy laws in the U.S., is criticized for being largely unenforceable due to the variations in technology, methodology, and use of information from business to business. The GLBA does set up heavy penalties for businesses that do not complete risk assessments and develop security plans to handle potential threats.

The Health Insurance Portability and Accountability Act

HIPAA is a broad law dealing with issues within the health industry. It contains a Privacy rule and Security Rule for the protection of personal health information. While HIPAA does not specifically have rules regarding the destruction of data, it does require covered entities to take reasonable measures to ensure the protection of data and compliance with HIPAA standards. Historically, improper disclosure has been one of the number one methods of unauthorized access to protected health information.

The Federal Information Security Management Act

In 2003, FISMA (pdf) was passed to regulate information security within the Federal Government. Similar to the Gramm-Leach-Bliley Act, FISMA requires periodic risk assessments to determine the threat and magnitude of harm due to unauthorized access, use, modification, disclosure, or destruction of sensitive information throughout its life cycle. The act calls for detailed plans and security measures to be implemented in order to protect against potential threats.

Data destruction has been recognized as an important security risk in U.S. regulations, however many of the aforementioned regulations do not set clear or standardized guidelines for the correct disposal of information. Data destruction remains  a confusing and complicated topic. Most regulations use language such as “reasonable measures” to acknowledge the fact that data is extraordinarily difficult and expensive to destroy. However, “reasonable measures” also creates a lot of room for interpretation and so data destruction through the United States and its industries remains largely self-regulated.

What About Data Destruction Services?

As awareness has grown about the dangers posed by improperly disposed data, a number of independent data destruction services have appeared to be part of the solution. Many of these companies offer certificates of destruction assuring it’s customers that their data is well protected and properly destroyed. While many of these companies may properly dispose of data, potential customers should be aware that the industry is completely self-regulatory. There is no government authority that certifies data destruction services in the United States and so the certificates they issue are only as good as the reputation and accountability of a company.

In Conclusion

Data Destruction is an often overlooked part of information security which is essential to individuals and businesses alike. Maintaining the security of personal information is one of the key elements of information privacy and not data is fully secure until it is completely and properly destroyed. Both individuals and businesses need to be aware of the potential consequences of improper disposal of data, recognize their accountability in ensuring its destruction and complete extensive research when choosing other services such as cloud computing and/or data destruction services which may be given control over the process.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  “Information lifecycle principles” (Foundations: I.E.vi)
• Information Security: “Cryptography” (Foundations: II.C.a.iii), “Implementing information security controls – Asset management” (Foundations: II.C.b.iii) and “Physical and environmental security” (Foundations: II.C.b.v)