HIPAA has been around for 20 years and organizations subject to HIPAA, for the most part, have developed practices and rules to ensure that Personal Health Information (PHI) is only shared with appropriate people/organizations. This handling of the HIPAA data is detailed in the “Privacy Rule” -
The Privacy Rule protects individuals PHI. These rights include
As important as the Privacy Rule is in ensuring PHI is shared only shared with the appropriate parties, the Security Rule ensures that the appropriate (given size and organization complexity) information security technology and process are in place to ensure PHI is not compromised. In other words, the Security Rule, provides for safeguards that ensure the security of the data, namely the integrity, availability and confidentiality, is maintained
Security of PHI as well as PII (Personal Identifiable Information) is commonly left to the IT organization (internal or external). However the security of the data is as important as the Privacy and like the privacy rule, failure to comply with regulations can leads to fines and other penalties. Protecting confidential data is a business requirement of healthcare organizations and must be given the attention and resources it deserves.
Organizations, of all sizes, have been fined for failure to maintain the security rule. For example, large organizations are fined for lacking robust technical security technology and processes. Anthem, inc. was fined in October $16 m for “Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access”. In addition, small organizations are also beginning to incur significant fines for failure to have basic practices in place. The Pagosa Springs Medical Center was fined in December of 2018 $111,400 for failure to terminate an employees remote access. It is important to note this is a process failure and not a technology failure.
It's time for all healthcare organizations that are subject to HIPAA, regardless of size to actively begin managing their data security. Size or lack of understanding of the requirements to protect patient data is not an excuse and will not absolve any organization from penalties not to mention the impact on their patients/customers trust.
Deeper Solutions LLC focuses on helping organizations subject to HIPAA to build security strategies and document controls (compliance) . Deeper Solutions provides strategies appropriate to organizations size and complexity. Deeper Solutions can be reached at 703 861 6836 or info@Deepersolutions.net