Tag Archive for 'HIPAA'

Deleting Data does not Purge Data

Published by Nainil Chheda on February 3, 2009 in Technology. Comments

I have always been an active proponent of disposing replacement or obsolete technology products in a regulated fashion. Of late, I have been promoting the notion of “Deleting Data does not Purge Data“.

It has been assumed by many that, simply “deleting” the files on a system gets rid of the contents on the drive. This is not the case as there is a very high possibility that this information will most likely still be recoverable.

This compromises the privacy of your data which could include passwords, personal information, classified documents from work etc. The classified nature of data could lead to legal consequences.

As per a recent article (Dumped hard drives tell all), most people tend to transfer desktops or laptops without disposing the data.

113 of 200 drives purchased on eBay as part of a security vendor’s study on disk sanitization still contained recoverable data, including data that in some cases appeared to be confidential or quite personal in nature.

We deal with highly classified data which might some times include data which could be confidential or quite personal in nature. Many a times our team downloads client database (with consent) over a secure connection. This data might contain Electronic Patient Health Information. This data must be protected from unauthorized disclosure in compliance with the requirements of HIPAA and other applicable state and federal privacy regulations.

When an employee terminates the employment usually the desktop or laptop is transferred to another person, department, or disposed of as surplus property. While this being done it is required to mandate “Disk Sanitization”.

There are two options to Sanitize a Disk:

  1. Wipe or OverWrite the disk using a software utility
  2. Physically Destroy the hard disk by melting, shredding etc.

Types of Secure Deletion Standards:

  1. Simple Overwrite (1 pass)
  2. Department of Defense - DoD 5220.22-M ( 3 pass)
  3. NSA (7 passes)
  4. Gutmann (35 passes)

To successfully wipe a hard drive one must at least look for a utility which meets the DoD 5220.22-M ( 3 pass).

Some Open Source Products which perform software disk wiping include:

  1. Eraser: http://www.heidi.ie/eraser/ (free)
  2. DBAN: Darik’s Boot and Nuke: http://dban.sourceforge.net/ (free)

Aging compute hard drives and other storage media are always at a risk for compromising data. Anyone making any claims that the potential costs associated with aging computer hardware is limited has not done the research.

I can only hope that everyone learns from experience that using appropriate data destruction mechanisms will prove a real bargain in the long run!

Share this:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • LinkedIn
  • Reddit
  • StumbleUpon
  • Technorati
  • TwitThis

Patient Privacy - A Reality

Published by Nainil Chheda on January 30, 2009 in Health Care. Comments

I have always respected privacy of an individual. Recently, my respect towards patient privacy and consent has drawn concerns in my mind on the current state of health care.

The privacy of an ordinary person is as important as the one of a celebrity or the CEO of a major public company. Recently “Shares of Apple Inc. fell on account of health concerns about their CEO - Steve Jobs“. This news, caused a trickle down effect where the company’s shares took a hit and fell 5.7%. Causing the market to react to a negative imbalance.

The effects of denial to medical privacy include but are not limited to the following:

  1. Job Loss
  2. Discrimination
  3. Credit Denial
  4. Fear
  5. Loss for Stakeholders

CHCF Consumer Privacy Health Survey (2005) shows that 67% of Americans are concerned about the privacy of their personal medical records.

In my opinion patient privacy is the most important factor for a patient-doctor relationship. To protect the same we must:

  1. Invest in technologies which build a secure environment to protect patient data
  2. Educate the team on HIPAA and patient privacy
  3. Obtain Consent while using/sharing patient data
  4. Authenticate the receiver/observer of patient data
  5. Limit secondary use of patient data
  6. Observe strict policies while storing patient data
  7. Define rules for non-tolerance
  8. Mandate compliance with security practices
  9. Define framework for Data integrity, Safeguards and Accountability
  10. Follow standards and certifications to maintain sanity levels in protecting patient privacy

The economic stimulus bill in the Obama Administration (244 188) includes $20 billion to promote health IT. This bill includes:

  1. A ban on sale of protected health information in electronic medical records and limitations on marketing
  2. Audit trails of all electronic health record transactions, encryption requirements, and rights to electronic copies of our records
  3. Requires the Secretary to revisit and narrow the definition of “health care operations”
  4. Improved enforcement provisions such as breach notification, required periodic audits, state attorneys general enforcement, a compensation scheme for privacy victims and applying security and privacy provisions and penalties to business associates
  5. Ensuring taxpayer dollars go only to funding systems that are capable of segmenting specific and sensitive information
  6. Funding for consumer advocacy groups and not for profit entities to participate in the regulatory process.

- derived from PatientPrivacyRights.org Newsletter: Privacy in the Stimulus?, Dated: Jan 29, 2009

This bill if passed by the Senate will ensure consumers interest ahead of industry profits. With proper technological utilization, policy definition and process implementation the Patient Privacy can now become a reality.

I vote for Patient Privacy! Do you?

Share this:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • LinkedIn
  • Reddit
  • StumbleUpon
  • Technorati
  • TwitThis

Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information

Published by Nainil Chheda on January 9, 2009 in Health Care. Comments

Office of the National Coordinator (ONC) for Health Information Technology (HIT) from the U.S. Department of Health and Human Services (HHS) documented a need for Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information.

The purpose of the document was to address the need for protecting individually identifiable health data as the  electronic health information exchange poses challenges and complexities every day.

Code of Fair Information Practice by the U.S. Department of Health, Education, and Welfare (HEW),  addresses five practices to benefit from computerization while providing privacy safeguards:

  1. openness
  2. disclosure
  3. secondary use
  4. correction
  5. security

At various levels there are different laws governing Privacy & Security of patient health information. These include but are not limited to:

  1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  2. the Privacy Act of 1974
  3. the Confidentiality of Alcohol and Drug Abuse Patient Records Regulation (42 CFR Part 2)
  4. the Family Educational Rights & Privacy Act (addresses privacy of information held by certain educational institutions)
  5. Gramm-Leach-Bliley Financial Services Act (addresses privacy of information held by financial institutions)
  6. Federal Information Security Management Act of 2002 (FISMA)

The principles outlined in the framework are meant to guide the use of electronic health information and they are technology adaptive.

The principles include:

  1. Individual Access: Individuals have right to their information and they have the right to dispute if the information is inaccurate.
  2. Openness And Transparency: Individuals should be able to trust the information system maintaining and storing their health information.
  3. Individual Choice: An individual should be able to make informed choice about his/her data being exchanged over a network.
  4. Collection, Use, And Disclosure Limitation: An individuals information if collected should be with consent. Any use of the information (secondary use) should be for specified purposes and disclosure to any information should be made after consent of the individual.
  5. Data Quality And Integrity: Entities should take appropriate measures to ensure that the identifiable information is accurate, up-to-date, complete and has not been altered.
  6. Safeguards: Reasonable Administrative, Technical, and Physical Safeguards should be in place to protect individually identifiable health information.
  7. Accountability: Appropriate procedures and policies should be in place to assure Accountability in the system.

The goal of the Nationwide Privacy and Security Framework is to ensure trust and safegurd for electronic exchange of individually identifiable health information.

Share this:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • LinkedIn
  • Reddit
  • StumbleUpon
  • Technorati
  • TwitThis

EHR: Secondary Use of Patient Data for Quality Measurement

Published by Nainil Chheda on November 5, 2007 in Health Care. Comments

If a doctor is participating in a quality measurement initiative and is only submitting “Aggregate Patient Information” to the quality measure unit, does the doctor need to take CONSENT from the patient that the patients information will be used in “Aggregate Data Collection”?

PatientPrivacyRights.Org (Deborah Peel, MD) says:

There should be no “secondary uses” or any uses of our personal health information without contemporaneous, informed consent.

Technically, HIPAA does not require consent for aggregate information sharing. Also, quality measurement is part of treatment/payment/operations, so it is exempt anyway. However, beyond HIPAA is the perception of the patient and community that their data is being shared.

Share this:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • LinkedIn
  • Reddit
  • StumbleUpon
  • Technorati
  • TwitThis