PSM/HITREC
KNOW
PREMIER ISSUE
HIPAA PHI Identifiers and Definitions
Harvard Professor Re-Identifies Anonymous Volunteers In DNA
Privacy & Security
“Res Non Verba” – Dan Picart
HIPAA PHI:
List of 18 Identifiers and Definition of PHI
unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such
1. Names;
geographic units containing 20,000 or
2. All geographical subdivisions smaller
fewer people is changed to 000.
than a State, including street address, city,
3. All elements of dates (except year) for
county, precinct, zip code, and their equiva-
dates directly related to an individual, in-
lent geocodes, except for the initial three
cluding birth date, admission date, dis-
digits of a zip code, if according to the cur-
charge date, date of death; and all ages
rent publicly available data from the Bu-
over 89 and all elements of dates (includ-
reau of the Census: (1) The geographic
ing year) indicative of such age, except
2
that such ages and elements may be ag-
For example, a subject's initials cannot be
gregated into a single category of age 90
used to code their data because the initials
or older;
are derived from their name. Additionally,
4. Phone numbers;
the researcher must not have actual knowl-
5. Fax numbers;
edge that the research subject could be
6. Electronic mail addresses;
re-identified from the remaining identifiers
7. Social Security numbers;
in the PHI used in the research study. In
8. Medical record numbers;
other words, the information would still be
9. Health plan beneficiary numbers;
considered identifiable is there was a way
10. Account numbers;
to identify the individual even though all of
11. Certificate/license numbers;
the 18 identifiers were removed.
12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) There are also additional standards and criteria to protect individual's privacy from reidentification. Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed.
Definition: What is PHI? Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or operations. For example, PHI is used in research studies involving review of existing medical records for research information, such as ret-
3
rospective chart review. Also, studies that
search study and the results will not be dis-
create new medical information because a
closed to the subject, and testing done
health care service is being performed as
without the PHI identifiers. Some genetic
part of research, such as diagnosing a
basic research can fall into this category
health condition or a new drug or device
such as the search for potential genetic
for treating a health condition, create PHI
markers, promoter control elements, and
that will be entered into the medical re-
other exploratory genetic research. In con-
cord. For example, sponsored clinical trails
trast, genetic testing for a known disease
that submit data to the U.S. Food and
that is considered to be part of diagnosis,
Drug Administration involve PHI and are
treatment and health care would be consid-
therefore subject to HIPAA regulations.
ered to use PHI and therefore subject to HIPAA regulations.
What is not PHI? In contrast, some research studies use data that is person-identifiable because it includes personal identifiers such as name, address, but it is not considered to be PHI because the data are not associated with or derived from a healthcare service event (treatment, payment, operations, medical records) not entered into the medical records, nor will the subject/patient be informed of the results. Research health information that is kept only in the researcher’s records is not subject to HIPAA but is regulated by other human subjects protection regulations.
Also note, health information by itself without the 18 identifiers is not considered to be PHI. For example, a dataset of vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints. These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials.
Examples of research health information not subject to HIPAA include such studies as the use of aggregate data, diagnostic tests that do not go into the medical record because they are part of a basic re-
4
A covered entity must, in accordance with § 164.306.
45 CFR 164.312 Technical safeguards.
(a) (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (ii)
(ii) Emergency access procedure (Required). Establish
(and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
5
(iii) Automatic logoff (Addressable). Implement electronic procedures that termi-
nate an electronic session after a predetermined time of inactivity.
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt
and decrypt electronic protected health information.
6
Notes-Links HIPAA Administrative Simplification Regulation Text March 2013 Mobile devices, such as smart phones and tablets, typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured
Medicare & Medicaid EHR Incentive Program Registration & Attestation System
against a variety of threats. The purpose of this publication is to help organizations centrally manage the security of mobile devices. Laptops are out of the scope of this publi-
The Medicare and Medicaid Electronic
cation, as are mobile devices with minimal
Health Records (EHR) Incentive Programs
computing capability, such as basic cell
will provide incentive payments to eligible
phones. This publication provides recom-
professionals and eligible hospitals as they
mendations for selecting, implementing,
demonstrate adoption, implementation, up-
and using centralized management tech-
grading, or meaningful use of certified EHR
nologies, and it explains the security con-
technology. These incentive programs are
cerns inherent in mobile device use and
designed to support providers in this pe-
provides recommendations for securing
riod of Health IT transition and instill the
mobile devices throughout their life cycles.
use of EHRs in meaningful ways to help
The scope of this publication includes se-
our nation to improve the quality, safety,
curing both organization-provided and
and eďŹƒciency of patient health care.
personally-owned (bring your own device, BYOD) mobile devices. Â HIPAA Administra-
This web system is for the Medicare and
tive Simplification Regulation Text March
Medicaid EHR Incentive Programs. Those
2013
wanting to take part in the program will use this system to register and participate in the program. (Visit website)
7
The Privacy Rule allows covered entities to require that individu-
The HIPAA Privacy Rule’s Right of Access and Health Information Technology
als make requests for access in writing, provided they inform individuals of such a requirement. See 45 C.F.R. § 164.524(b)(1). In addition, the Privacy Rule has always considered electronic documents to qualify as written documents. Thus, the Privacy Rule supports covered entities’ offering individuals the option of using electronic means (e.g., e-mail, web portal) to make requests for access. (Click to Read More)
8
Guidelines for Media Sanitization Draft NIST Special Publication 800-88 Recommendations of the National Institute of Standards and Technology The modern storage environment is rapidly evolving. Data generated by one organization may pass through systems and storage media of multiple other organizations before arriving at rest in the final destination. The pervasive nature of data propagation is only increasing as the Internet and data storage systems move towards a distributed cloud-based architecture. As a result, more parties than ever are responsible for effectively sanitizing media and the potential is substantial for sensitive data to have been collected and retained on the media. This responsibility is not limited to those organizations that are the originators or final resting places of sensitive data, but also intermediaries who transiently store or process the information along the way. The efficient and effective management of information from inception through disposition is the responsibility of all those who have handled the data. (Read More)
Guidelines for Managing and Securing Mobile Devices In the Enterprise (DRAFT) Special Publication 800-124 Recommendations of the National Institute of Standards and Technology Mobile devices, such as smart phones and tablets, typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured against a variety of threats. The purpose of this publication is to help organizations centrally manage and secure mobile devices. Laptops are out of the scope of this publication, as are mobile devices with minimal computing capability, such as basic cell phones. This publication provides recommendations for selecting, implementing, and using centralized management technologies, and it explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The scope of this publication includes securing both
9
organization-provided and personally-owned (bring your own device) mobile devices. (Read More)
HIPAA Security Rule Toolkit The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise. (See Tool Page and Download)
10
DNA Study
Harvard Professor ReIdentifies Anonymous Volunteers In DNA Study
available in the Internet era could unravel personal secrets. From the onset, the Personal Genome Pro-
Harvard Professor Latanya Sweeney
ject, set up by Harvard Medical School Pro-
A Harvard professor has re-identified the
warned participants of the risk that some-
names of more than 40% of a sample of
one someday could identify them, mean-
anonymous participants in a high-profile
ing anyone could look up the intimate
DNA study, highlighting the dangers that
medical histories that many have posted
fessor of Genetics George Church, has
ever greater amounts of personal data
11
along with their genome data. That day ar-
records. Of these, Sweeney succeeded in
rived on Thursday.
naming 241, or 42% of the total. The Per-
Professor Latanya Sweeney, director of the Data Privacy Lab at Harvard, along with her research assistant and two students scraped data on 1,130 people of the now more than 2,500 who have shared
sonal Genome Project confirmed that 97% of the names matched those in its database if nicknames and first name variations were included. She describes her findings here.
their DNA data for the Personal Genome
Sweeney has also set up a web page for
Project. Church’s project posts information
anyone to test how unique their birthdate,
about the volunteers on the Internet to
gender and zip are in combination. When I
help researchers gain new insights about
tried it, I was the only match in my zip
human health and disease. Their names do
code, suggesting that I, like so many oth-
not appear, but the profiles list medical
ers, would be easy to re-identify. “This al-
conditions including abortions, illegal drug
lows us to show the vulnerabilities and to
use, alcoholism, depression, sexually trans-
show that they can be identified by name,”
mitted diseases, medications and their
she said. “Vulnerabilities exist but there are
DNA sequence.
solutions too.” (Personal disclosure: I work closely with Professor Sweeney in the Harvard Department of Government on topics related to my book research on the business of personal data, but was not involved with this study). On Thursday, researchers and participants
Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three key pieces of information she needs to identify anonymous people combined with information from voter rolls or other public
in the Personal Genome Project gathered in Boston for a conference timed to mark the 60th anniversary of James Watson and Francis Crick’s publication of their discovery of the DNA double helix structure in April 1953. Sweeney and her research as-
12
sistant set up a table at the conference
crimination, I’m not worried about health
where participants could find out whether
care,” he said. Smith is independently
they could easily be identified. Sweeney
wealthy after having sold his company to
sought not to out the study participants,
Yahoo. “I’m retired.”
but rather to demonstrate to them how providing a little less information–for example, just birth year rather than exact birth date, and three digits rather than five or nine from the zip code–could help preserve anonymity for participants.
Volunteer Lenore Snyder, however, said that she did not want to be identified and as a result did not provide her zip code and some other identifying characteristics in her profile. She said her genetic testing
Several participants said they expected someone would one day re-identify them and said they were not particularly concerned. Volunteer Gabriel Dean said he was far more worried about another future threat forecast by the experiment, that one day criminals might be able to replicate DNA and place some at the scene of a crime. The conference took place a few blocks from the scene of the Boston Marathon bombing earlier this month. k HendricksonContributor Another “outed” particiapant, James Smith, a 59-year-old who lives outside Chicago, says he has an additional layer or protection because his name is so common. He said his genetic testing showed he had a greater possibility of developing Alzheimer’s disease than a typical person, but said he was “not worried about job dis-
suggests she has an intellectual disability, even though she is a molecular biologist with a PhD. “People don’t know how to interpret this,” she said. “It’s dangerous. A little bit of information is dangerous.” Sweeney’s latest findings build on a 1997 study she did that showed she could identify up to 87% of the U.S. population with just zip code, birthdate and gender. She was also able to identify then Massachusetts Gov. William Weld from anonymous hospital discharge records.
13
The same techniques could be used to
possible to accurately predict all of the pos-
identify people in various surveys and re-
sible risks and discomforts that you might
cords, pharmacy purchases, or from a
experience,” the 24-page consent form
wide variety of seemingly anonymous ac-
tells users. Later it specifies some possi-
tivities such as Internet searches. Figuring
ble risks: “The data that you provide to the
out clues about people could also enable
PGP may be used, on its own or in combi-
identity theft. “I believe that many people
nation with your previously shared data, to
in the current interconnected digital world
identify you as a participant in otherwise
are not aware of how easy it is to identify
private and/or confidential research.”
them with a high level of granularity,” says Keith Batchelder, the founder of Genomic Healthcare Strategies in Charlestown, Massachusetts, and one of the first ten volun-
Volunteers take an online exam about the risks they face before they are allowed into the program. And the test does not pose a
teers in the Personal Genome Project.
universal ‘you do understand the risks”
Church, who maintains a thick mountain-
quires a perfect score. Potential volunteers
man beard, says that advances in data
can take the test as many times as they
and in medicine make it impossible to guar-
want until they pass. One person took the
antee anonymity for most medical experi-
test 90 times before passing.
ment volunteers. Church has participated as a volunteer himself in past medical studies and scoffs at claims that such data can remain anonymous. Every year his university sends him an anonymous survey. He scribbles in some additional information at the beginning of the form. “My name is George Church, you could figure that out
question. It has 20 questions and he re-
Given what Church sees as the flaws in preserving privacy in the Internet age, he has embraced openness about many aspects of his own history. On hispersonal home page he posts the exact coordinates of his home, his birthdate and parents, medical problems (heart attack, carci-
anyway,” he writes.
noma, narcolepsy, dyslexia, pneumonia,
His Personal Genome Project makes no pri-
1976 letter booting him out of Duke Univer-
vacy promises at all. “The Personal Ge-
sity for getting an F in his graduate major
nome Project is a new form of public ge-
subject.
motion sickness) and even a copy of the
nomics research and, as a result, it is im-
14
Many of the early participants in the Personal Genome Project share the same ‘let it all hang out’ ethos. Volunteer Steven Pinker, a well-known experimental psychologist and author of the 2011 book “The Better Angels of Our Nature,” posts his genome and a 1996 scan of his brain on his web page. He says even data as in depth as his genome and medical records does not provide especially deep insights into a person. “There just isn’t going to be an ‘honesty gene’ or anything else that would be nearly as informative as a person’s behavior, which, after all, reflects the effect of all three billion base pairs and their interactions together with chance, environmental effects, and personal history,” he says. “As for the medical records, I just don’t think anyone is particularly interested in my back pain.” Could companies use medical information to single out people to deny them services? Might a bank, for example, turn down a loan to someone because their health records suggest they may die at a young age? Even though Church expected reidentification of his volunteers, he does not think so. “These companies are not yet highly motivated to do that and probably judging from the way the winds blowing on the Genetic Information Nondiscrimination Act they would be ill advised to do that from a public relations standpoint,” he says, referring to the 2008 law. In a different study released earlier this year, researcher Yaniv Erlich at the Whitehead Institute for Biomedical Research in Cambridge, Massachusetts, was also able to re-identify almost 50 people participating in a different genomic study. He said that he does not know of anyone who has suffered harm to date from such re-identifications, but pointed out the current ethical debate “emerged from the very bad history of the field in the first half of the 20th century, where bad genetic and abundance of records of familial genealogy contributed to one of the most horrific crimes.” Misha Angrist, an assistant professor of the practice at the Duke Institute for Genome Sciences & Policy and one of the original ten to participate in the Personal Genome Project, praises the re-identification experiments by researchers such as Sweeney and Erlich. “It is a nuisance to scientists who are trying to operate under the status quo and to tell their participants with a straight face, you know, it’s very unlikely that you will be identified,” he
15
says. “It is useful for pointing out that the
emperor has no clothes, that ab-
solute privacy and confidentiality are illusory.�
16
Step-by step guide on how to protect your network from spam - Author: edfisher
Step two-web content Spammers frequently scan websites looking for embedded email addresses in contact information. Raise awareness with your web developers and establish a pol-
Intro Spam, or more accurately Unsolicited Commercial Email, is still on the rise, with some estimates measuring it at 90% of all email traffic. It’s a nuisance for users, a storage nightmare for admins, and often a vector for phishing attacks and malware. Using a defense in depth approach, this article provides steps an email administrator can take to protect their network from spam.
Step one-user training Users should be educated on how their actions can lead to or reduce the amount of spam destined for their inbox. Using corporate email for personal use, subscribing to mailing lists, registering their email address for promotions and giveaways, and forwarding chain mails are all vectors that can lead to spam. Consider disabling html support to prevent downloads that can confirm an address is valid, as well as to reduce the risk of email based malware.
icy that all email addresses in web pages should be masked using JavaScript or other encoding that allows a person to click or read the address, but makes it more difficult for a spider to harvest it. Use contact forms when possible instead of displaying email addresses.
Step three-tighten up your SMTP gateway Disabling the verify command (VRFY) on your SMTP gateway makes it that much harder for spammers to check for valid email addresses. If supported, implement a delay before your server responds to a request with its banner. Legitimate email servers will wait for the 220 response before trying to send email, while many programs/scripts used by spammers will not. Your server can then drop email from this misbehaving sender. If your SMTP gateway supports Quit detection, configure it to drop email that it receives from a host that don’t close the session properly. Legitimate email servers end a session with the QUIT command, but many
17
programs/scripts used by spammers
Software should be added to the email sys-
don’t.
tem to perform anti-spam and antimalware checks on messages before they
Step four-Check for MX and SPF records
get to the user’s inbox. Look for features
Email servers that can receive mail should
ing, Bayesian filtering, DNS blocking lists,
all have valid MX records in DNS. Those
attachment spam blocking, robust logging,
that send email should also have SPF re-
archiving, and white/black/greylisting. You
cords. Sender Policy Framework (SPF) re-
want software that can minimize false posi-
cords are txt records in a DNS zone that
tives, maximize successful blocking, and
list servers authorized to send email on be-
that can be configured to always pass key
half of a domain. Configure your SMTP
communications from business partners if
gateway to check for MX and SPF records
necessary. The software should also sup-
when accepting an email to verify the send-
port user self-service for checking/
ing domain of the from address matches
releasing email, and recommendations for
what is in DNS. You may have to soft fail
whitelisting to reduce the administrative
some messages until SPF gains in popular-
overhead.
like reputation checking, key word check-
ity, but this can help later lines of defense to identify spam.
Step seven-Keep your mail clients up to date
Step five-Configure limits on your incoming SMTP gateway
Many email clients have their own junk
Configure your email server to limit the
storing messages identified as spam. It is
number of addressees in an individual mes-
critical to keep up with patches and up-
sage, the total number of messages from a
dates to these client-based filters. Better
specific ip.addr during a set time, and to
server-based filtering solutions can work
automatically reject any email from source
with the client software to deliver email
ip.addrs that violate these limits.
identified as possible spam to the user’s
Step six-Implement quality filtering software
mail or spam filters and a special folder for
junk mail folder for easier user self-service.
Step eight-Ensure your systems are not a part of the problem
18
▪
Spammers love to take advantage of legiti-
mate email systems to send their mes-
2003 http://en.wikipedia.org/wiki/CAN-SP
sages. Make certain that your system is
AM_Act_of_2003
not an open relay. Use MX and SPF records for all your outgoing traffic. Select filtering software that can perform the same services on outgoing email as it does for incoming, and set sensible limits on the number of emails a user can send, and the number of recipients on a single message.
▪
CAN-SPAM Act of
MailRadar Open relay
test http://www.mailradar.com/openrelay/
▪
Email address
munger/encoder http://www.addressmung er.com/
If your company uses mailing lists, make
sure that they only use “opt-in” mailing
spam http://www.allspammedup.com/
▪
Tips to protect your network from
lists that comply with the requirements of ▪
the CAN-SPAM Act of 2003. Act immedi-
ately on unsubscribe requests, and make
can be found at http://www.gfi.com/mes
sure that you remove addresses from the list that generate NDRs. Periodically requesting subscribers to confirm their opt-
GFI anti-spam solution software
This guest post was provided by Ed Fisher
in also helps to ensure your emails are not viewed as spam.
Wrap up Used together, these eight simple steps will help protect your network from spam, your users from malware, and greatly reduce the amount of junk email that reaches your users’ inboxes, takes up valuable storage space, and adds to the load on your servers. Would you like to know more?
19