All news

Ten Tactics to Avoid Penalties for Health Information Privacy & Security Breaches

March 03, 2010

Editor’s note: Health care organizations that fail to protect health information privacy could pay up to $1.5 million for

each violation, according to an interim final rule (IFR) released by the federal Department of Health and Human

Services’ Office for Civil Rights to enforce provisions of the Health Information Technology for Economic and Clinical

Health Act. Worse, penalties can be imposed for violations even if the covered entity did not know—and would not have

known about the problem after exercising reasonable diligence. The IFR addresses privacy and security concerns

associated with the electronic transmission of health information, in part, through several provisions that strengthen the

civil and criminal enforcement of the Health Insurance Portability and Accountability Act. Penalty amounts are tiered

and OCR will cite organizations for four categories of violations reflecting increasing levels of culpability—the penalties

increase for each violation with a maximum penalty amount of $1.5 million for all violations of an identical provision.

Ten breach-prevention tactics provided by DataMotion, Inc., can help health care organizations keep consumer

information private and avoid incurring fines.

1. “Take secure measures, in case people make mistakes.

“One of the most common causes of any kind of security breach is human error.

“Whether conscious, accidental, or simply due to laziness, human error can result in Personally Identifiable Information

(PII) or Personal Health Information (PHI) being sent over the internet as unencoded text unless filters are put in place to

detect these messages and encode or reroute them safely.”

“To accomplish this, you need to:

• Install smart filters that analyze both the email and its attachments,
• Correlate fields in both documents and attempt to match them to known patient databases,
• And quarantine or redirect those messages.

2. “Make sure the boundaries between systems are secure.

“Communication security breaches commonly occur where data is transferred between two or more systems.

“It can happen any time and any place where data is transferred between:

• People inside your company’s firewall
• People inside and outside your company’s firewall
• Your people and your partners
• Your people and your customers (or patients)
• Two different systems”

3. “Make sure your internal communications are secure.

Your people who work from home provide a specific example of HIPAA boundary issues. It is critical that any data that

Ten Tactics to Avoid Penalties for Health Information Privacy & Security Breaches Page 1 of 3

http://www.openminds.com/circlehome/eprint/omol/2010/030110ftr1.htm 3/1/2010

they transfer to their home computers from work is sent securely, one copy of a database file, one spreadsheet, one PDF

attachment, one presentation that someone works on over the weekend.

“Your business information must pass across the Internet securely, even though it will remain inside your company and

your firewall. It must never be compromised—or vulnerable.”

4. “Make sure your partner communications are secure.

“Your people, when working with business partners, bring up another case of boundary issues.”

“Your partners may use different email systems. They often need to send personally identifiable information and or

personal health information about clients or patients via email or attachments.”

5. “Make sure your communications with telecommuters are secure.

“People who telecommute create another group of boundary issues.”

“So you must find the time, the budget, and the resources to set up file-transfer sites for these large files. And you must

make absolutely sure that they offer unbreakable security.

“With a sophisticated system in place, you could manage and track the secure transfer of confidential, large files so you’d

know they were delivered to, and opened by your intended recipient.

6. “Make absolutely sure your communications with customers—or patients—are absolutely secure.

“When communicating with customers (or patients), your people most likely have no knowledge of the recipient’s email

system.”

“They want to use email. And they want you to send important information quickly, via email. And if you do, they want

it, of course, to be secure.

“Not just because it’s the law. Because it’s common sense that people don’t want anyone to have access to their private

medical information, any more than anyone should have access to their private banking information.”

7. “Make sure when your customers—or patients—communicate with you, that everything they do is secure.

“Your customers and patients must often submit forms, ask questions of specific people and departments, or submit

follow‐up information about an ongoing illness or other matter.

“For a long time, these needs were served by paper-based processes, but can now be handled through secure electronic

forms on your web site.”

“With a messaging system in place that provides secure inbound and outbound service, uses email and ad hoc forms for

message composition, and provides web service and XML workflow integration, you can streamline your operations and

cost effectively serve customers.”

8.” Make sure your customer workflow is automated, so there are fewer mistakes.

“When you enter information into your system, you should only enter patient information once. Because multiple entries

of the same information are big bright red flags for auditors.

“To avoid this, you need to make very sure that any time that information is entered securely, that it is routed to its

destinations in your CRM system or case handling systems without the need for humans to unencrypt, read, retype, fax, or

otherwise invite errors. Or auditors.

Ten Tactics to Avoid Penalties for Health Information Privacy & Security Breaches Page 2 of 3

http://www.openminds.com/circlehome/eprint/omol/2010/030110ftr1.htm 3/1/2010

9. “Make it easy to transfer files securely—even very large ones.

“FTP, or file transfer protocol, is the standard way to transfer files across the Internet. However, it requires big

investments of time and effort to make it work, and even when it does work, it transmits user login credentials and the

contents of files in an unencrypted manner.”

“You need a secure messaging system that automatically routes large files, alerts the recipient that they are available, and

that tells you when they’ve been opened and by whom.

10. “Make sure that you can demonstrate that your system is compliant and auditable.

“After an email message is sent, how do you know what happened to it? Did its intended recipient open it? Were its

attachments opened? Is there proof that the message was received and was read?”

“The fingerprint data must record—permanently—the IP addresses of the recipient’s computers, and the system’s time

must be synchronized with an atomic clock so that message times are never a point of dispute.”

This featured excerpt is taken from the full text of “How to Disappoint Your HIPAA Auditors & Gain the Respect of

Your Board of Directors (Not Necessarily in That Order.)” released by DataMotion in 2008. A link to the full text may be

found in The OPEN MINDS Circle Library at www.openminds.com/circlehome/eprint/indres/101508ftrhipaa.htm.

DataMotion, Inc. specializes in secure business exchange solutions. The company has worked with health care

organizations for more than ten years to provide managed information delivery solutions that streamline business

processes and improve regulatory compliance. Core applications include e-mail encryption, large file transfers, electronic

forms, and programmatic APIs to automate and improve business workflows. DataMotion solutions are available on premise or hosted and leverage existing IT infrastructure and processes. All DataMotion solutions are built on a single

platform that secures, tracks, and automates data in motion.

A link to the full text of “HIPAA Administrative Simplification: Enforcement” may be found in The OPEN MINDS Circle

Library at www.openminds.com/circlehome/eprint/indres/103009ftrhitechprivacy.htm.

For more information, contact: Monica Hutton, Marketing Director, DataMotion Inc., 35 Airport Road, Suite 120, Morristown, New

Jersey 07960; 973-455-1245; E-mail: monicah@datamotioncorp.com; Web site: www.datamotion.com; or U.S. Department of

Health and Human Services, Office for Civil Rights, Attention: HIPAA Enforcement Rule IFR (RIN 0991–AB55), Hubert H.

Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, District of Columbia 20201; 202–205–2292; Web

site: www.hhs.gov/ocr/privacy.

Ten Tactics to Avoid Penalties for Health Information Privacy & Security Breaches. (2010, March 1). OPEN MINDS On-Line News

This article was written and published by OPEN MINDS, in the March 1st issue of the OPEN MINDS On-Line News. OPEN MINDS, 163 York Street, Gettysburg, Pennsylvania 17325; Phone (717) 334-1329; Fax: (717) 334-0538; E-mail: openminds@openminds.com; Web site: www.openminds.com