Legally defensible security: Covering your bases on HIPAA, CMR 17
HIPAA and HITECH compliance is not necessarily the same as Mass 201 CMR 17 compliance, but there are common procedures to achieve "legally defensible" security.
By Bill Brenner , Senior Editor
September 21, 2010 — CSO —
Compliance challenges are nothing new in the healthcare sector. For years, hospitals, insurers and related suppliers have been grappling with the likes of HIPAA and, in cases where credit card data is used, PCI DSS. Meanwhile, Mass 201 CMR 17 has made compliance even more complex for anyone doing business in and with companies in Massachusetts.
IT security practitioners and compliance officers have generally settled into a process that provides what the data security regulations and privacy standards require. But at a compliance workshop in the Boston offices of Mintz Levin Tuesday morning, legal, privacy and security experts noted that some challenges remain particularly vexing -- especially when it comes to figuring out differences between regulations and carving out a security plan that covers all the bases.
"Even though these things are not new, there is still confusion over whether you have to worry about one set of regulations if you already comply with another set," said Mike Spinney, senior privacy analyst at the Ponemon Institute and owner of the SixWeight consultancy.
A panel consisting of Spinney, Cynthia Larose of Mintz Levin, Matt Pettine of MFA Cornerstone Consulting LLC and Nagraj Seshadri of security vendor Sophos, sought to untangle the confusion and present the common building blocks of a plan that will at least ensure "legally defensive security."
Larose offered the legal perspective, noting that there is some overlap between HIPAA and CMR 17. But there are also some distinct differences, and HIPAA compliance does not free an organization from having to heed the requirements of CMR 17. One specific difference in the regs is that encryption isn't required outright under HIPAA, but it is under CMR 17.
Though HIPAA has been criticized in the past for a lack of enforcement, HITECH has added teeth to the things HIPAA first outlined. In an article for CSO, Rick Kam of ID Experts noted the following examples of what HITECH adds to the mix:
- New requirements around managing Protected Health Information (PHI) information, including extending accountability from healthcare providers to their business associates;
- New federal rules for data breach notification, including specific notification thresholds, timelines and methods; and
- Effective immediately, increased and sometimes mandatory penalties with maximum fines ranging from $25,000 to as much as $1.5 million.
As for the penalties, Larose, said, the worst thing an organization can do is fail to act the second a breach is discovered. Companies that fail to act and notify within 30 days face the stiffest penalties. She also noted that under HITECH, the authorities notify the public of a breach within 60 days of an incident. The list keeps growing and examining the most common points of failure on the list can be enormously useful, she said.