Protect personal health information in motion, in use and at rest with HP access,
authentication, authorization and audit solutions.
Executive summary
According to a 2008 study by the independent privacy, data-protection and
data-security technologies research firm Ponemon Institute, the healthcare industry
is among the top three industries most frequently victimized by data breaches.1
Healthcare entities have largely ignored the Health Insurance Portability and Account-
ability Act (HIPAA) and the associated security framework necessary to safeguard
protected health information (PHI). But the newly implemented HITECH Act gives
HIPAA new life. The Act is emphasizing accountability, raising breach response costs
and increasing penalties for data breach to as high as $1.5 million. Not only can
a data breach carry huge medical and financial risks to the people whose data is
lost—it can also severely damage a healthcare entity’s brand.
Many organizations think that traditional IT security and compliance are sufficient safety
measures for PHI. However, a recent study by PricewaterhouseCoopers2 found that
only 5 percent of data breaches are caused by malicious cyber attacks, almost 55 per-
cent are linked to human error and 44 percent are due to third-party handling of data.
The study also revealed that 70 percent of all organizations do not have an accurate
inventory of where personally identifiable information (PII) in their custody is stored. With
the complex web of organizations involved in providing healthcare services, this is
a critical issue for the healthcare industry.
HIPAA and the HITECH Act
In 2009, the new Health Information Technology for Economic and Clinical Health (HITECH) Act
took effect. HITECH requires healthcare organizations to take more responsibility for protecting
patient records and health information. The Act widens the scope of privacy and security protections
available under HIPAA, increases potential legal liability for non-compliance and provides more
enforcement of HIPAA rules. The HITECH Act seeks to streamline healthcare and reduce costs
through the use of health information technology, including the adoption of electronic health records.
Thursday, January 5, 2012
HIPAA - 10 Things To Know About HIPAA
- The Health Insurance Portability and Accountability Act of 1996 is a law. The law was passed in 1996, and mandated that DHHS draft specific regulations to facilitate compliance with the law's provision (Administrative Simplification; Privacy; Security; Unique Identifiers; etc.)
- All HIPAA compliance efforts should be documented and memorialized in some fashion.
- Covered Entities include those healthcare providers, health plans, and healthcare clearing houses that transmit information electronically, in accordance with the Electronic Transactions Standard. Once deemed "covered," these entities are subject to the Privacy and Security regulations, regardless of the form of the "protected health information."
- HIPAA is TECHNOLOGY-NEUTRAL: No specific technology is required for compliance, and the regulations were drafted to be scalable to each covered entity's individual needs.
- Third parties (vendors, industry partners, business associates, etc.) are not directly regulated under HIPAA (unless they are also "covered entities"). The burden befalls the "covered entity" to obtain assurances that third parties with access to protected information will maintain the appropriate levels of privacy and security.
- No private right of action exist under the HIPAA Regulations. However, state law claims (breach of privacy, breach of duty, negligence, etc.) may be bolstered by evidence of non-compliance with the Federal Regulations.
- Organization-wide education is crucial to compliance efforts. Don't underestimate the power of adequate and appropriate training.
- Keep track of compliance dates and implementation deadlines. Because of the dynamic nature of the regulations, this specific task should be assigned to someone in each organization. Keeping up to date with the changes and proposed modifications will also be a good measure of the industry response to the regulations, and may provide guidance with respect to implementation efforts.
- Seek inter-industry assistance with compliance efforts. Compliance efforts should include internal assessments, regardless of outside assistance. Achieving compliance will require more than outside "certification," and is an organization-wide effort. Seeking compliance and implementation assistance may be helpful, but such measures will serve limited purposes. An "internal" understanding and practical application and use of policy and process modifications will require internal change. Compliance efforts should, however, include industry partners, with respect to acquiring knowledge, training, technology, where appropriate, and additional assistance.
- HIPAA does not necessarily preempt state laws. The regulations were drafted to work in conjunction with State Privacy and Security Laws/Regulations. More stringent state privacy and security laws will remain in effect. Seek assistance from internal or outside counsel to avoid redundant and unnecessary compliance efforts, and to ensure proper measures are taken to achieve compliance with the Federal Regulations.
Tuesday, January 3, 2012
Subscribe to:
Posts (Atom)