Educause Security Discussion mailing list archives

Re: HITECH Breach Notifications - NIST Required or Safe Harbor?

From: "Plesco, Todd" <tplesco () CHAPMAN EDU>
Date: Tue, 15 Sep 2009 15:25:34 -0700

Hi Chris,

 

asking the same question is whether compliance with the encryption
standards in the HIPAA security rule equates with compliance under
HITECH. 

 

To answer the first problem/consideration: Encryption standards in HIPAA
security are based on your risk assessments and findings/agreements
internally of whether the "addressable" encryption becomes "required".
You should encrypt the electronic storage of PHI to the measure of
"reasonably anticipated" and determine with the key stakeholders which
functionality is "required".  I also believe that a budgetary restraint
may also be equated into the "risk" to your organization.  To my
knowledge, DHHS OCR has not gone around (yet) handing out fines across
the board proactively.  They have mostly responded to complaints of
gross misconduct or breach fielded to them but customer end
(Medicare/Medicaid) stakeholders.

 

The second problem: Compliance under HITECH.  Some opinions are that it
is a loaded political question which actually undermines the intent of
HIPAA as a privacy law.  HITECH is seeking to encourage private
practices into sharing an electronic repository on the federal side.
This could turn into a powder keg for Constitutional discussions.  For
Federal healthcare entities though, it makes the distinction a bit
clearer on "where" to store EHRs.  It doesn't necessarily translate
directly over to the non-Federal medical arena, though.

 

Todd A. Plesco  CISM, CBCP

Chapman University, Director of Information Security

One University Drive, Orange, CA 92866

Phone: (714) 744-7979/Fax: (714) 744-7041

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd
Sent: Tuesday, September 15, 2009 9:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HITECH Breach Notifications - NIST Required or Safe
Harbor?

 

A question about the HITECH encryption standard for the breach
notification requirements: Do you view NIST/FIPS
standards/certifications as a requirement to meet the HITECH encryption
requirements or is NIST just a safe harbor, and other similar
technological standards would also meet with the HITECH standards?
Another way of asking the same question is whether compliance with the
encryption standards in the HIPAA security rule equates with compliance
under HITECH.  We have looked at the guidance on this and it's hard to
tell if NIST is the only relevant standard or just a safe harbor.

 

Thanks,

Chris Kidd

 

 

 

Chris Kidd

650 Komas Drive, Suite 102

Salt Lake City, UT 84108

Office: 801.587.9241

Cell: 801.747.9028

chris.kidd () utah edu 

 

http://www.secureit.utah.edu

Current thread:

HITECH Breach Notifications - NIST Required or Safe Harbor? Chris Kidd (Sep 15)
- <Possible follow-ups>
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? St Clair, Jim (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Doug Markiewicz (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Faith Mcgrath (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)