StartseiteSolutionsComplianceHITECH

HITECH

In February 2009, the American Recovery and Reinvestment Act (ARRA) was signed into law. ARRA includes legislation provisions that redefine and revitalize the HIPAA enforcement process; known as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act places emphasis on key IT-related healthcare policy objectives:

  • Encourage adoption of electronic patient healthcare records (EHR) by 2014
  • Disclose PHI data breaches in a timely manner, with very specific requirements
  • Extend HIPAA requirements to business associates and non-HIPAA covered entities
  • Add “teeth” to HIPAA by granting additional authority to State Attorney generals and the FTC for HIPAA enforcement
  • Periodic audits of HIPAA Privacy and Security requirements, such as access control

These objectives represent a major challenge for covered entities that must begin a massive transition from paper to electronic records, while adhering to stricter privacy requirements. The expansion of HIPAA rule applicability to non-HIPAA covered entities is significant even more today, over ten years after HIPAA was enacted, given the wide availability of electronic healthcare/medical records and vendors who provide products or services to manage EHR/EMR.

The HITECH Act has strengthened enforcement of HIPAA through civil money penalties by introducing categories of violations. Civil money penalties have been modified from their original form in HIPAA Section 160.404 “Amount of Civil Money Penalties”, using the Social Security Act (Section 1176(a), 42 U.S.C. 1320d-5(a)) – by Section 13410(d) of the HITECH Act, as follows:

Before HITECH Act

No more than $100 per violation, per person No more than $25,000 per person, during a calendar year Limitations included “prohibitions on imposing civil money penalties for”:

  • (1) criminal penalty provisions (Section 1177)
  • (2) person did not know, with reasonable diligence
  • (3) reasonable cause, not willful neglect AND corrected within 30 days (or authorized extension)
After HITECH Act

For different categories of offenses, penalties per person/per calendar year are:

  • (A) Did Not Know: $100-$50,000/$1,500,000
  • (B) Reasonable Cause: $1000-$50,000/$1,500,000
  • (C)(i) Willful Neglect—Corrected: $10,000-$50,000/$1,500
  • (C)(ii) Willful Neglect—Not Corrected: $50,000/$1,500,000

 

LogLogic is an essential solutions provider to the healthcare industry in that it helps enable:

  1. Compliance with mandatory HITECH Act requirements for ePHI breach notification through real-time detection of unauthorized access to ePHI systems
  2. Reduced costs by avoiding costly breach notification tasks, through ‘reasonable diligence’ demonstrated by enterprise log management
  3. Safe Harbor and reduced costs from costly HITECH Act breach notification requirements if data breach can be proven to be associated with encrypted data
  4. Ongoing compliance with HIPAA Privacy and Security rules related to access control, integrity, etc.
  5. Ongoing efficiency of security and compliance efforts with real-time, scalable enterprise log management.

LogLogic solutions enable compliance with the HITECH Act in the following areas:

Identify breaches
comply with HITECH 13402

Helping to detect ePHI data breaches using real-time log data and analysis across all enterprise systems (databases, security events from all infrastructure systems) that may store, transmit or otherwise handle ePHI. Using this data to make the appropriate notifications to those affected by possible compromise of ePHI (direct mapping, detective control).
Determine if notification is actually required
comply with Interim Final Rules p42741 provide exception/safe harbor to HITECH 13402

Avoid costly breach notification requirements by Identifying data access from systems known to enforce encryption of stored or transmitted data.
Demonstrate ‘reasonable diligence’
comply with HITECH 13410 		Log collection, aggregation, normalization, correlation, and analysis are detective controls that satisfy the requirement to be classified in this category. All Loglogic products provide these controls and the Database Security Manager goes further to provide preventive controls by terminating and quarantining unauthorized database connections.
Help business associates comply as well
comply with HITECH 13401 		Application of security provisions and penalties to business associates and reduce risks associated with business associates). LogLogic solutions enable business associates of any size to comply with the HITECH Act. Since business associates by their nature may process ePHI on behalf of multiple clients (covered entities), it is essential that detail logging with the source of ePHI data be kept. In the event of a data breach from the business associates’ infrastructure, they must comply with the HITECH Act breach notification requirements but can LIMIT their exposure to the covered entity that was the actual source of the ePHI.
Identify data access patterns which could be locked down through preventive controls
all HITECH: avoid breaches 		Using detective controls such as logging to improve preventive controls (e.g. more granular authorization, removing terminated/revoked/guest user accounts) is an effective method for improving overall security and avoiding breaches in the first place.

While LogLogic can provide you with the tools to enable you to achieve compliance, LogLogic cannot determine if you have met your compliance objectives. For any such determinations, you are advised to consult with a qualified advisor.