Image via Wikipedia
I had the pleasure to speak on HITECH to a room full of non-profit professionals in conjunction with a program hosted by the GroundWork Group at the United Way offices in Columbus, Ohio. This is a summary of the presentation along with some useful links from the talk.
With the February, 2009 passage of the American Recovery and Reinvestment Act of 2009, those businesses that provide health care services or provide products or services with those that do need to take note of the Health Information Technology for Economic and Clinical Health Act or the ‘‘HITECH Act’’.
Among other things, HITECH expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement. In expanding the reach it also puts regulatory teeth into a health care oriented compliance requirement that frankly many of my clients have chosen to ignore up until now.
1. Understand the law and your organization's responsibility to it.
Health and Human Services provides good information on Health Information Privacy for Covered Entities. As you are reading through this site remember that HITECH in part expanded HIPAA to treat Business Associates as Covered Entities for information security and privacy.
Some of that understanding may have to come from a review of any Business Associate Agreements you have in force with partners, vendors or customers.
Other useful links within the HHS site include:
2. Assign specific responsibilities to staff members. HIPAA requires that you have a Compliance Officer, Security Officer and Contact Person to manage complaints and inquiries. You can have one person manage all 3 roles. The roles need to be formally assigned.
3. Attack the HIPAA compliance problem as a business issue. Organize a cross functional committee including the Compliance and Security Officer, a "C-level" executive, IT manager, HR manager and at least one representative of your service delivery units. We suggest that the committe should be a Information Security and Compliance Committe and focus on other compliance issues such as Ohio's Data Notification Law, PCI and the rest of the compliance alphabet soup you are responsible to meet.
4. Inventory your information assets. You have to know where your critical data is to be able to protect it!
5. Conduct a risk assessment.
6. Formalize your policies.
7. Train your workforce. HIPAA requires that both incumbent and new hire staff are trained. In the non-profit world make sure that that includes your volunteer work force. HIPAA requires regular notifications. You need to be able to show who had training when to an auditor, should an auditor show up. As you plan for training that needs to be considered. My company, Jacadis, has a web-based security awareness training platform that can meet this requirement.
There are MANY technical issues that need to be addressed for HIPAA. Two that need immediate concerns relate to the breach notifications. HHS has information about breach notifications.
As you are planning to meet the breach notification rules it might also be helpful to reference the work of the Ponemon Institute. According to their site, “Ponemon Institute conducts independent research on privacy, data protection and information security policy.” The numbers are constantly changing as they update their research. We’ve used their findings that a breach costs a company $180 to $230 per record.
To manage the breach requirements you need to consider encryption. Jacadis works with SOPHOS. Regardless of which product you choose it should support one of the following encryption algorithms: DES, AES, RSA, Blowfish, Twofish. We recommend whole disk encryption as an easier, more effective deployment choice.
To manage to the breach requirements you need to also have logging in place. Again, Jacadis recommends Event Tracker.
Finally, you need to be prepared for an audit. Health and Human Services is very clear about the breadth and depth of what an audit will entail. If you are technically focused you can't meet an audit request on your own, you need management support. If you are management focused, you can't meet an audit request on your own, you need technical involvement. See step two for how to organize yourselves to meet compliance and be prepared should you ever be audited.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=863e5d17-7901-4090-a383-b8501c6fc88d)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ebee6eb3-830c-4783-900a-2602abcf8880)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8169725d-7098-4b5b-ac2a-97975a05e25d)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c7186f6b-5b45-4221-9915-fdafeb755ae3)

![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9c826844-be73-4e29-89dd-3da52a8fe1cb)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f65e93aa-fdc2-463d-b1d9-160ed828c809)

![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=bd4b8c43-0236-4bf4-b1a0-395bbdb386bb)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=561c0790-2ede-4075-96ec-928bc24bf5de)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=03199868-ef98-4ed9-9e3f-b27bc55836e5)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=11ed1ab4-751c-425e-9f60-f4947fcba8b9)
