BIG DAY FOR HIPAA/HITECH PROVISIONS

While many of the changes to HIPAA contained in the HITECH amendment, such as increased fines, Attorney’s General enforcement, and Health Data Breach notification came into effect already, February 18th, the law’s one year anniversary, marks a number of significant HIPAA/HITECH milestones.

Here is a sample of some that could affect the secure destruction service provider . . .

1. Application of rules to, and accountability for, Business Associates.  (No longer are BAs solely tied to HIPAA by the BA contract with the Covered Entity, but now, in some respects, operate essentially with all the requirements applied to Covered Entities.)
2. Requirement for HHS to begin conducting mandatory audits.
3. Clarification regarding which entities are required to be business associates. (Both HHS and the FTC have already identified secure destruction services as BAs in earlier guidance publications.  It would difficult to see this changing)
4. HHS and FTC study on privacy and security requirements for PHR vendors and applications (PHR vendors are a new type of Covered Entity under FTC jurisdiction who maintain or process health-related data as a result of offering Internet based services.)
5. First annual guidance on the most effective and appropriate technical safeguards for health information. (This could go either way.  When HHS issued guidance on security measures to avoid data breach, they inadvertently caused many Covered Entities to apply the wrong particle size specification.  If guidance is promulgated in this new document with a similar type of reference, it will  make life a bit more complicated for secure destruction services)
6. HHS to implement a health information privacy educational initiative
7. Clarification regarding the ability to impose criminal penalties against individuals

The seamless integration between KOM Networks and CommVault offers a way to reduce costs, drive greater operational efficiency and simplify the way organizations manage, retain and protect their information.

KOM Networks, based in Ottawa, Canada, a provider of storage management solutions for secure archiving, has certified its KOMpliance with Simpana 8 software from Oceanport, N.J.-based CommVault to provide data storage, search and management solutions for small businesses to large enterprises. 

In a press release, the companies note that “the seamless integration between KOM Networks and CommVault offers a way to reduce costs, drive greater operational efficiency and simplify the way organizations manage, retain and protect their information.”   

According to the companies, their technology relationship “will provide the availability of an integrated offering that addresses a wide range of compliance requirements at a very affordable price without sacrificing reliability or performance.”.

KOMpliance is a turnkey archive storage solution that uses standard file sharing protocols to deliver a secure universal file archive repository, according the KOM Networks. KOMpliance is available with its own storage capacity or as a SAN (storage area network) gateway to create secure archives using fiber channel and iSCSI storage resources. No agents or client licenses are required. 

 “Both CommVault and KOM have similar ideals in providing a very simple way to reduce costs, risk and manage growth while upgrading their technical infrastructure,” says Kamel Shaath, chief technology officer of KOM Networks. “Our integrated offerings will provide the best of all worlds, including Simpana software’s data deduplication, which complements the KOMpliance solution, eliminating redundant data to save on storage costs.”

CommVault Simpana software uses a single-platform architecture that is designed to enable companies to reclaim space on primary storage, reduce off-site storage by up to 90 percent and eliminate up to half their tape drives, according to the company. The enterprise data management software features data deduplication, laptop and desktop protection, remote office data management and advanced copy management features.

Paper Mill Signs Deal to Build Large “Green Diesel” Plant

Flambeau River Biofuels, Park Falls, Wis., has signed a letter of intent to engineer, procure and build what it is calling the largest second generation “green diesel” plant in the United States. It will be built at the Flambeau paper mill in Park Falls, Wis. The project, slated to cost around $250 million, is being funded in part with a U.S. Department of Energy grant. It is expected to be operational by 2013.

The plant will use a patented process technology from ThermoChem Recovery International, Baltimore, to convert roughly 1,000 tons of woody biomass from bark, sawdust, wood and forest residue per day. The process will convert the material into electrical power, steam, and heat at the paper mill.

PSI 2010 Meetings Tied to Four Events

The Paper Stock Industries (PSI) chapter of the Institute of Scrap Recycling Industries Inc. (ISRI) has announced its 2010 meeting.

Each of the chapter’s membership and board meetings will be tied to larger recycling industry events in 2010. “The chapter is exploring new tie-in opportunities and taking advantage of industry event changes that will give our group some new exposure,” the PSI Board of Directors says in a news release accompanying the schedule announcement.

The PSI members and board will meet in 2010 at these four events:

• The Southeast Recycling Conference & Trade Show, Destin, Fla., March 7-10. On March 8, a PSI cocktail reception will take place at the Hilton Sandestin Beach Golf Resort & Spa, where the event is being held. The announcement from PSI notes, “This new PSI event is in lieu of past receptions at Paper Week in New York City; because of a schedule change by AF&PA (the American Forest & Paper Association), the Paper Mills’ Recycling Division of AF&PA will not be meeting at Paper Week this year.”

• ISRI Annual Convention & Exposition, San Diego, May 4-8. “Paper and recovered fiber recycling is the newest segment to be fully incorporated into convention programming as ISRI’s Paper Stock Industries (PSI) Chapter moves to participate more fully in the convention,” says PSI. “The PSI Chapter will hold its semi-annual chapter meeting during the annual ISRI Convention as well.”

• Paper Recycling Conference & Trade Show, Chicago, June 13-15. A PSI cocktail reception and meetings will take place in coordination with the Recycling Today Paper Recycling Conference, held at the Marriott Downtown Chicago Magnificent Mile.

• 49th Annual PSI Fall Conference, Palm Beach, Fla., Nov. 9-12. The 49th annual version of the PSI Fall Conference is to be held at the Four Seasons Resort in Palm Beach.

More information on the PSI’s involvement in these events can be obtained by e-mailing
info@paperstockindustries.org.

The Open Security Foundation’s Data Breach Reports – Good News and Bad News

While the incidence of data breaches in 2009 declined to 436 from the 717 incidents reported in 2008, the number of records affected increased from 86.3 million in 2008 to nearly 218.8 million records in 2009.

According to a report from the Open Security Foundation, Glen Allen, Va., the business sector had the most breaches in 2009, numbering 205. Government was a distant second with 92 breaches, followed by education with 81 breaches and medical with 65 breaches.

Of these incidents, 358 involved names and addresses, while 278 involved Social Security numbers and 101 involved date of birth, according to the Open Security Foundation. Seventy-three breach incidents involved credit card information, and 71 incidents involved medical information. Financial information was released in 61 incidents, while account information was involved in 56 incidents.                                                     

In 2008, the business sector had the largest incidence of breaches with 385, followed by the education sector with 145, government with 101 and medical with 98 incidents, according to the Open Security Foundation.

The bulk of the incidents, 588, involved name and address information in 2008, while 516 incidents involved Social Security information, according to the Open Security Foundation. Financial and account information were involved in 88 and 74 incidents, respectively.

Additional information on The Open Security Foundation’s data breach reports can be found at:
http://datalossdb.org/reports.

Data protection legislation moves to the front burner in Congress.

Heating Up

In mid-November the U.S. Senate Judiciary Committee approved both the Personal Data Privacy and Security Act and the Data Breach Notification Act, sending the clear message that comprehensive information protection legislation is back on the congressional agenda.

It may strike readers as odd to say “it’s back,” but consider that both the HITECH (Health Information Technology for Economic and Clinical Health Act) amendments to HIPAA (Health Insurance Portability and Accountability Act) and the Red Flag Rule were driven from outside Congress. (HITECH was actually born of the new administration’s stimulus package, and Red Flag is actually a regulatory rule change by the Federal Trade Commission.) The numerous proposed data protection bills of a few years back were killed by committee jurisdictional issues, an unsupportive administration and other priorities on the national agenda. Frustration over this situation took data protection out of serious congressional consideration for the last two or three years.

While no one can argue the national agenda has been cleared of other issues, many privacy watchers say they believe the time is ripe to move its promises of comprehensive data protection legislation forward.

In the meantime, NAID will do its best to keep members abreast of developments and exert its influence if and when the time is necessary.

By Bob Johnson – the executive director of the National Association for Information Destruction
execdir@naidonline.org

ARTICLE HIGHLIGHTS LACK OF MEDIA COVERAGE FOR DATA BREACHES

December 6, 2009- An article on the website The Daily Censored highlights the lack of national media attention paid to the near constant stream of data breaches. Highlighting many incidents profiled in recent issues of NAIDDirect, this article also references a recent report done by the Ponemon Institute, a privacy and data security consultancy firm, which shows nearly 70% of senior managers surveyed do not believe privacy and data security are a high concern. While disconcerting, both the article and the Ponemon Insitute’s report demonstrate the need for the legislation discussed in this issue of NAIDDirect.

NAID EXECUTIVE TO SPEAK IN ORLANDO AND NEW YORK CITY

NAID Executive Director Bob Johnson will start 2010 with two public appearances that continue the cross-country barnstorming he began earlier this year.

On January 9th, Bob will address the January meeting of the Orlando Chapter of ARMA International. ARMA Orlando meets at The Tap Room at Dubsdread Country Club from 11:30am to 1:00pm.  The address is 549 West Par Street, Orlando, Florida.

Later in the month, on January 26th, Bob will address the Mid-Sized Law Firm Section of the New York City Chapter of the Association of Legal Administrators.  The meeting runs from 12:30 to 2:00 and will be held at the law offices of Frommer Lawrence & Haug, 745 Fifth Avenue, 10th Floor, New York, New York.

Bob will be speaking to both groups on the “New Realities of Proper Information Destruction,” including promoting the need for compliance policies and procedures and CTK training NAID has provided to many members.

GREEN LIGHT: NEW DATA PROTECTION LAW LIKELY SOON

We have all heard the saying, “where there’s smoke, there’s fire.” Well there is certainly a lot of smoke related to pending federal data protection legislation. 

NAID has been anxiously monitoring a host of events that indicate a national data protection law, potentially preempting states laws, is likely next year.

• In August, Senator Patrick Leahy (VT-D) introduced the Personal Data Privacy and Security Act of 2009 (PDPSA) that has already passed the Senate Judiciary Committee (which Leahy chairs) and is on its way to the full Senate.
• The House of Representatives just passed the Data Accountability and Trust Act (DATA). Privacy watchers in D.C. say this increases the likelihood that a comprehensive data protection law will result.
• An editorial two weeks ago in the New York Times made a strong appeal for the movement on the long over due national data protection law.
• An article in the Washington Post last week drew reference to the fact that the disposal of hard copy records is just as significant a problem as e-destruction and deserves increased legislative attention.
• NAID contacts within the FTC are openly saying they anticipate a new national data protection law in 2010.

The good news is that the language in these laws is very direct about destruction requirements as well as penalties and enforcement.  That being said, NAID believes there is a strong likelihood that special interests will seek to water them down and NAID isn’t taking any chances. The association intends to be as vocal as ever in reminding lawmakers that clear direction and enforcement are essential to effective data protection.

NAID will likely dedicate some resources to convincing legislators that paper-based breaches be subject to data breach notification provisions—a point that is not as clear as it should be in some of the current language.

HITECH RELATED REFERENCE TO NIST SPECIFICATION CAUSING CONFUSION/CONCERN

The Department of Health and Human Services issued guidance related to safe harbors for healthcare providers to avoid mandatory data breach notification.  The guidance states that if computer hard drives are disposed after sanitization meeting National Institute for Standards and Testing (NIST) specification SP 800-88, data breach notification will not be required.  It also states that that destroying paper media in a manner that it “cannot be read or otherwise cannot be reconstructed” provides that same safe harbor. The NIST SP 800-88 specification reference in the HHS Guidance DOES NOT APPLY to paper media within the HHS Safe Harbor Guidance, HIPAA, HITECH or Data Breach Notification.

Unfortunately, because NIST SP 800-88 also contains specifications for paper destruction, which is very small, some HIPAA/HITECH Covered Entities are misinterpreting the HHS Guidance to mandate that destruction specification extends to paper as well. Again, NIST SP 800-88 does not extend to paper media, only to sanitization.

Here is the language as it reads in the Federal Register:

(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

It is important to note that none of this is actually a requirement of HIPAA or HITECH—it is simply advice regarding safe harbors for avoiding possible data breach notification events.

Read the Federal Register Reference

(source:http://naidonline.org/)