Christopher P. Buse, CISA, CISSP, CPA, Larry Marks, CISA, CGEIT, CFE, CISSP, PMP and Steve Sizemore, CISA, CGAP, CIA
This article discusses the US Department of Health and Human Services (HHS) Health Breach Notification Rule: Final Rule (HHS BNR), issued pursuant to the US American Recovery and Reinvestment Act (ARRA) of 2009 and its impact on IT professionals in terms of:
Part 1 of this article focused on the Health Information Technology for Economic and Clinical Health (HITECH) Act and was published in the ISACA Journal, volume 4, 2010.
HHS, in conjunction with the US Federal Trade Commission (FTC), has issued these new rules, mandated by ARRA, requiring providers and insurers to notify patients when their health information is breached. They must also alert the media and the HHS secretary when a breach affects more than 500 people. These rules include:
Entities that secure information through encryption or destruction are relieved from having to notify individuals, the HHS secretary and the news media in the event of a breach of such information. Also, the rule does not apply to businesses or organizations that are covered by the Health Insurance Portability and Accountability Act (HIPAA). HHS BNR will be used to ensure integrity of electronic health records and the electronic exchange of health information.
The rule became effective on 24 September 2009. Full compliance was required by 22 February 2010.
Certain web-based businesses are required by HHS to notify consumers when the security of their electronic health information is breached. The rule applies to both vendors of personal health records that provide online repositories that people can use to keep track of their health information and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential. Many entities offering these types of services are not subject to the privacy and security requirements of HIPAA, which applies to health care service providers such as physician offices, hospitals and insurance companies. ARRA required HHS, in consultation with the FTC, to conduct a study and report by February 2010 on potential privacy, security and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. In the meantime, the Act requires the FTC to issue a rule requiring these entities to notify consumers if the security of their health information is breached. Section 13400(1) of HHS BNR also includes three exceptions to the definition of ‘‘breach’’ that encompass situations the US Congress clearly intended not to constitute breaches. These are:
HHS BNR requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. HHS BNR requires:
As part of the auditor’s accepted role and responsibility to continually monitor the status of processes, procedures and controls in place to minimize risk, whether financial, compliance/regulatory, fraud, privacy or reputational, auditors need to ensure that:
The secretary of HHS has the burden going forward. The existence of any factors in determining the amount of the proposed penalty rests with the secretary of HHS.
The following are key concerns of the IT auditor when assessing an organization’s compliance with HHS BNR:
IT auditors need to know about this regulation because:
HHS BNR defines the first national security breach notification requirements in the US. IT auditors and security professionals must:
IT auditors should continue to monitor the legislation as it is developed and revised, including standards to be published by the Office of National Coordinator and responsible committees (including the Health IT [HIT] Policy Committee and the HIT Standards Committee).
Here are several useful web sites that auditors can use to monitor legislation:
1 According to Devon McGraw, director of the health privacy project at the Center for Disease and Technology (CDT), the language was not handed down as part of the US $19 billion health IT section of the economic stimulus package and was expressly rejected by House of Representative staffers who helped craft the measure. He noted that its inclusion by HHS is likely the result of lobbying on the part of the health care industry. CDT and its allies favor the approach taken by the FTC in its own data breach mandate, which took effect the same day as the HHS rule. Noyes, Andrew; “HHS Urged to Rework Data Breach Rule,” Congress Daily, Tech Dose Daily, 17 September 2009
Christopher P. Buse, CISA, CISSP, CPAis the chief information security officer for the State of Minnesota (USA), Office of Enterprise Technology. He is also a member of ISACA’s Government and Regulatory Agencies Regional Area 4 Subcommittee.
Larry Marks, CISA, CGEIT, CFE, CISSP, PMPis a consultant for DTG Consulting Solutions. He is currently assigned as a US Sarbanes-Oxley Act project manager for a financial services client. He is also a member of ISACA’s Government and Regulatory Agencies Regional Area 4 Subcommittee.
Steve Sizemore, CISA, CGAP, CIAis an IT audit manager with the Internal Audit Division of the Texas Health and Human Services Commission (USA). He is also a member of ISACA’s Government and Regulatory Agencies Regional Area 4 Subcommittee.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.