Even though the full extent of the HIPAA and HITECH requirements will not be required for Business Associates until 2011, my experience with helping organizations reach compliance with appropriate security requirements suggests that compliance efforts should begin right away. Proposed changes to the rules can be viewed at regulations.gov (https://www.regulations.gov/search/Regs/home.html#documentDetail?R=HHS-OCR-2010-0016-0001).The deadline for submitting comments has passed on August 13th; however I would be surprised to find significant changes from those that have been proposed.
With Business Associates having to comply with the same requirements as Covered Entities, there are many important requirements with regard to handling ePHI. Companies should quickly become familiar with:
Performing periodic risk assessments that include ePHI – Organizations may decide to use guidance provided by HHS or use their own discretion.
Ability to respond to ePHI access inquiries – Just as covered entities, BAs need to be able to respond to requests regarding access to individual’s ePHI.
Incident investigation timeframe – In accordance with the HITECH requirements, responding to security incidents and issuing appropriate breach notifications must take place within a relatively short timeframe. While 60 days may not seem very short, having participated in a number of incident investigations, I can assure that this is not a lot of time.
Implementation of the above mentioned requirements may warrant creating new or modifying existing policies, implementing new security controls, and providing training for IT staff and other ePHI custodians. Failure to comply with policies and practices may cause the company to be viewed as negligent, triggering significantly higher fines and possible consequences for company leadership. For those companies who have relatively new security and privacy programs, I strongly recommend referencing HITRUST Common Security Framework (CSF) for detailed implementation requirements for individual HIPAA and HITECH controls. While this may be seen as over-kill for small Business Associate organizations, the range of control implementation considerations will help organizations realize all possible consequences of these healthcare regulatory requirements. With implementation of some of the more technical controls requiring considerable cost and operational changes, organizations should take advantage of the time before the requirements have been mandated and companies fall into the scope of the HIPAA and HITECH enforcement efforts.
Antti Rantasaari and I will be delivering our presentation “Escalating Privileges through Database Trusts” at the National OWASP AppSec conference in Irvine, CA on September 10th. We are very excited to have the opportunity to share some the of the common application and database implementation weaknesses we see in the real world. During the presentation we’ll show how those weaknesses can be combined to gain unauthorized access to high value data. The presentation will cover: – Three core issues that contribute to weak application and database configurations – Three common attack and escalation scenarios used during penetration tests – Five fixes to help stop the bleeding – Time for questions and answers For those who are interested come see us at AppSec. You can register online at the AppSec website. See you there!
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.