This article discusses the US Department of Health and Human Services (HHS) Health Breach Notification Rule: Final Rule (HHS BNR), issued pursuant to the US American Recovery and Reinvestment Act (ARRA) of 2009 and its impact on IT professionals in terms of:

1. What is this piece of legislation, and who is covered under it?
2. Do all organizations have to start complying with the legislation immediately?
3. Who needs to follow/implement this legislation?
4. What do organizations have to do to comply with the legislation?
5. Why do IT auditors need to know about this legislation?
6. What is the role of auditors with regard to this legislation? Is it checking compliance at the end of a period/year, or is it a continual process?
7. What are the applicable fines/effects if this rule is not followed?

Part 1 of this article focused on the Health Information Technology for Economic and Clinical Health (HITECH) Act and was published in the ISACA Journal, volume 4, 2010.

What is HHS BNR, and Who Is Covered Under It?

HHS, in conjunction with the US Federal Trade Commission (FTC), has issued these new rules, mandated by ARRA, requiring providers and insurers to notify patients when their health information is breached. They must also alert the media and the HHS secretary when a breach affects more than 500 people. These rules include:

• Define secured and unsecured information.
• Provide guidance specifying encryption and destruction as the technology and methodology to making protected health information (PHI) unusable and unreadable.

Entities that secure information through encryption or destruction are relieved from having to notify individuals, the HHS secretary and the news media in the event of a breach of such information. Also, the rule does not apply to businesses or organizations that are covered by the Health Insurance Portability and Accountability Act (HIPAA). HHS BNR will be used to ensure integrity of electronic health records and the electronic exchange of health information.

The rule became effective on 24 September 2009. Full compliance was required by 22 February 2010.

Who Needs to Follow/Implement This Legislation?

Certain web-based businesses are required by HHS to notify consumers when the security of their electronic health information is breached. The rule applies to both vendors of personal health records that provide online repositories that people can use to keep track of their health information and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential. Many entities offering these types of services are not subject to the privacy and security requirements of HIPAA, which applies to health care service providers such as physician offices, hospitals and insurance companies. ARRA required HHS, in consultation with the FTC, to conduct a study and report by February 2010 on potential privacy, security and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. In the meantime, the Act requires the FTC to issue a rule requiring these entities to notify consumers if the security of their health information is breached. Section 13400(1) of HHS BNR also includes three exceptions to the definition of ‘‘breach’’ that encompass situations the US Congress clearly intended not to constitute breaches. These are:

1. Unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of a covered entity or business associate [section 13400(1) (B)(i)]
2. Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate [section 13400(1)(B)(ii) and (iii)]
3. Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed, but who would not reasonably have been able to retain the information

Becoming Compliant

HHS BNR requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. HHS BNR requires:

1. Notice to consumers by vendors of personal health records and related entities following a breach involving unsecured information
2. Notice to the entity if a service provider to it has a breach and, in turn, notice by the entity to consumers
3. Notice to the media. The final rule also specifies the timing, method and content of notification, and in the case of certain breaches involving 500 or more people, it requires notice to the media.
4. Notice by entities to affected individuals of a breach without unreasonable delay and no later than 60 calendar days after discovery of the breach. HHS did not amend the timeline specified in the ARRA provision.

The IT Auditor’s Role

As part of the auditor’s accepted role and responsibility to continually monitor the status of processes, procedures and controls in place to minimize risk, whether financial, compliance/regulatory, fraud, privacy or reputational, auditors need to ensure that:

1. A data classification policy, approved by senior management, has been issued and communicated by management. It must describe the acceptable processes used to identify, classify, store, secure and monitor access to consumers’ PHI.
2. Vendors and related entities of personal health records have a reliable and effective process in place to:
   • Identify in a timely manner where a data breach occurred
   • Notify affected parties without unreasonable delay and no later than 60 calendar days after discovery of the breach that the security of their individually identifiable health information has been breached. Neither HHS nor FTC amended the timeline specified in the ARRA provision.
   
   Both the FTC and the HHS rules were required by provisions in ARRA.
3. Notifications must be written in plain language and include, to the extent possible, a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, and a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a toll-free number, an e-mail address, and a web site or postal address.
4. Adequate data encryption technologies have been implemented. It also would behoove auditors to monitor and evaluate the controls in place to prevent and detect data breaches. This is something that vendors and related entities of personal health records would do regardless of HHS BNR. The intent is to ensure data privacy and protection of confidential data and to protect the reputation of the firm, prevent fraud and identity theft, and ensure compliance with existing regulations.

Results of Noncompliance

The secretary of HHS has the burden going forward. The existence of any factors in determining the amount of the proposed penalty rests with the secretary of HHS.

IT Auditor’s Key Concerns Related to HHS BNR

The following are key concerns of the IT auditor when assessing an organization’s compliance with HHS BNR:

1. It is highly recommended that the client implement data encryption to minimize data loss and preserve data integrity, even though there is no formal requirement to implement data encryption.
2. The client should develop a reporting template.
3. The client should rely on the same HIPAA reporting channels for management reporting of data breaches
4. Clients must submit an impact statement. However, the guidelines do not describe the nature and extent of the impact statement. In terms of data classification, an effort is needed at all affected firms to identify PHI or related confidential data. This issue is significant since it affects the use or disclosure of individually identifiable health information for business associates of entities. Examples of business associates include third-party administrators or pharmacy benefit managers for health plans; claims processing or billing companies; transcription companies; and people who perform legal, actuarial, accounting, management or administrative services for covered entities and who require access to PHI.
5. Clients that are smaller insurers and providers may indicate that the cost to implement encryption technologies for PHI is prohibitive. Auditors should be prepared to recommend technology solutions and other compensating controls that reduce risk and maximize use of the client’s available resources.

Why IT Auditors Need to Know About HHS BNR

IT auditors need to know about this regulation because:

1. The interim final rule, which was issued in April 2009, states that a breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational or other harm to the individual.” In the event of a breach, the rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities are not required to tell their patients that their sensitive health information was breached.¹ The FTC version stipulates that if an individual authorized the discharge of data, their release is not considered a breach.
2. The FTC’s rule also allows for a vendor to engage in a risk analysis and states that if data were never acquired (i.e., officials are fairly certain that nobody saw the material), the incident does not count as a breach and notification does not have to occur.
3. There is a greater need for extra clarification of data classification and data encryption since a client could potentially be in compliance with the HIPAA security rule by not encrypting PHI, but could be in violation of HHS BNR by not encrypting data. This will be an issue that the IT auditor must discuss with the organization’s compliance department and representatives of HHS.
4. Firms impacted by HHS BNR will need to implement processes, policies and procedures governing their training programs and reporting and will need to file complaints to ensure compliance. Limited guidance has been issued defining minimum requirements for compliance.
5. In the case of overlap with state regulations as to the definition of breach notification, at this time, it appears state law is preempted. Auditors employed by a multinational firm or an organization with offices in multiple states will have to take this added complexity into consideration when assessing the organization’s compliance.

The Next Steps

HHS BNR defines the first national security breach notification requirements in the US. IT auditors and security professionals must:

1. 1. Take the time to read and understand the complex new legal compliance requirements in HHS BNR.
2. Determine whether their organizations are impacted by the new compliance provisions.
3. Assess whether their organizations have processes and controls to ensure ongoing compliance. In particular, organizations will need to understand where personally identifiable information (PII) is stored and how it is transmitted. With the new compliance mandates, organizations will also need to weigh the cost of encryption against the cost of a potential breach.
4. Develop procedures to assess the adequacy of key controls.

IT auditors should continue to monitor the legislation as it is developed and revised, including standards to be published by the Office of National Coordinator and responsible committees (including the Health IT [HIT] Policy Committee and the HIT Standards Committee).

Where to Go to Monitor Legislation

Here are several useful web sites that auditors can use to monitor legislation:

1. National Journal Online, www.nationaljournal.com— Nonpartisan reporting on the current political environment and emerging policy trends
2. Govtrack.us—Details status about pending legislation
3. Library of Congress, www.loc.gov
4. Trendtrack.com—Allows Fortune 500 companies, major trade and professional associations, educational institutions, and public affairs firms that depend on automated reports and remote alerts to deliver legislative intelligence to the right people at the right time

References

• Federal Register, Part II, Department of Health and Human Services, 45 CFR Parts 160 and 164, “Breach Notification for Unsecured Protected Health Information; Interim Final Rule,” USA, 2009
• IT Governance Institute, COBIT 4.1, USA, 2007
• Federal Trade Commission, 16 CFR Part 318, Health Breach Notification Rule, Final Rule, Federal Register, vol. 74, no. 163, USA, 25 August 2009
• Department of Health and Human Services, Health Information Privacy, Health Insurance Portability and Accountability Act Administrative Simplification Statute and Rules, USA
• Federal Trade Commission, “FTC Issues Final Breach Notification Rule for Electronic Health Information,” press release, 17 August 2009
• Harlow, David; Health Care Law Blog, “Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who’s Ready?,” HealthBlawg, 11 November 2009, http://healthblawg.typepad.com/healthblawg/2009/11/son-of-hipaa-breach-notification-rules.html

Endnotes

¹ According to Devon McGraw, director of the health privacy project at the Center for Disease and Technology (CDT), the language was not handed down as part of the US $19 billion health IT section of the economic stimulus package and was expressly rejected by House of Representative staffers who helped craft the measure. He noted that its inclusion by HHS is likely the result of lobbying on the part of the health care industry. CDT and its allies favor the approach taken by the FTC in its own data breach mandate, which took effect the same day as the HHS rule. Noyes, Andrew; “HHS Urged to Rework Data Breach Rule,” Congress Daily, Tech Dose Daily, 17 September 2009

Christopher P. Buse, CISA, CISSP, CPA
is the chief information security officer for the State of Minnesota (USA), Office of Enterprise Technology. He is also a member of ISACA’s Government and Regulatory Agencies Regional Area 4 Subcommittee.

Larry Marks, CISA, CGEIT, CFE, CISSP, PMP
is a consultant for DTG Consulting Solutions. He is currently assigned as a US Sarbanes-Oxley Act project manager for a financial services client. He is also a member of ISACA’s Government and Regulatory Agencies Regional Area 4 Subcommittee.

Steve Sizemore, CISA, CGAP, CIA
is an IT audit manager with the Internal Audit Division of the Texas Health and Human Services Commission (USA). He is also a member of ISACA’s Government and Regulatory Agencies Regional Area 4 Subcommittee.

Enjoying this article? To read the most current ISACA^® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute^® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.