Are you familiar with state-level security breach laws that apply to your business? Organizations focused on HIPAA-HITECH compliance also need to be aware of the importance of understanding and abiding by state law pertaining to security breaches, not only in the state in which your business is headquartered, but in every state in which you operate.
Archive | August, 2011
HIPAA violations just got more serious. In February, we discussed how the Office of Civil Rights (OCR) was ramping up HIPAA enforcement when it announced two HIPAA enforcements in one week.
On February 22nd, the OCR announced Cignet had failed to provide copies of patient records when they were requested by patients, and then opted not to cooperate with the OCR’s investigation. One of the requirements under the HIPAA privacy rule is that covered entities (e.g. doctors’ offices, hospitals, etc.) must provide patients with a copy of their medical records within 60 days of a patient request. It also requires covered entities and business associates to cooperate with federal investigations. Cignet’s total penalty was $4.3 million.
Listen to our recent Podcast hosted by HealthcareInfoSecurity.com’s Executive Editor, Howard Anderson. Receive Data Breach Planning Notification Tips – How to Avoid Creating Unnecessary Risk and more… Benefit from our expertise! Check out our upcoming webinar on 5/18/2011 – How To Establish Your Data Breach Notification Program …
In its April 1, 2011 meeting the Privacy & Security Tiger Team (of the Office of the National Coordinator for Health Information Technology) continued its focus on completing a HIPAA Security Risk Analysis and addressing any deficiencies found as part of that assessment. Seeking ways to promote EHR security, the committee reaffirmed that “…in Stage 1 of Meaningful Use, Eligible Providers and Eligible Hospitals are required to conduct or review a security risk analysis in accordance with the HIPAA Security Rule and implement security updates as necessary and correct identified security deficiencies as part of the risk management process…”.
Is encryption required by HIPAA, by HITECH? Will HHS/OCR audit my encryption program?
Learn about Clearwater’s Proven Approach to HIPAA-HITECH Security Compliance Assessment…
The language of the HIPAA Security Final Rule is in 45 C.F.R. § 164.308(a)(8) and is clear — you must perform a periodic compliance assessment to ensure you comply.
Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
(“Reprinted with permission, copyright 2011 ID Experts, All Rights Reserved)
Statistically, a minority of data breaches lead to large-scale identity theft, but a study by the Ponemon Institute found that more than 86% of those affected by a data breach are fearful of potential negative effect on themselves and their families, and over 58% felt it had diminished their trust in the organization reporting the breach. To help ease these fears and restore confidence in the organization, many businesses contract with third-party providers to offer identity theft protection and recovery services to individuals affected by a data breach. Unfortunately, the unfair or deceptive practices of some identity theft service providers may cause more harm than good to customer perceptions, so businesses need to choose providers who adhere to industry best practices.
Oh no! Note again! The California Department of Managed Care is currently investigating the security practices of insurer Health Net after nine server drives went missing from the company’s California data center. Currently 1.9 million individuals are being notified about the potential breach of their personal health information, an incident that could result in the largest breach reported under the HITECH Act breach notification rule since it went into effect in September 2009.
Evidence just continues to mount that the Office for Civil Rights is incredibly serious about safeguarding our personal and private health information, technically known as Protected Health Information (PHI). In her budget submission cover letter, Georgina C. Verdugo, Director, Office for Civil Rights wrote:
yesterday’s NY Times, Milt Freudenheim joined a long line of journalists jumping on the HIPAA HITECH bandwagon in his article entitled “Breaches Lead to Push to Protect Medical Data”. I was, of course, tickled to read the opening two sentences … “Federal health officials call it the Wall of Shame. It’s a government Web page that lists nearly 300 hospitals, doctors and insurance companies that have reported significant breaches of medical privacy in the last couple of years.” In our March 2010 eNewsletter, we coined the term “Wall of Shame” and are pleased to see that Federal Officials and the NY Times find it an apropos term for the data breachers who have actually convinced themselves they created sigficant risk-of-harm for individuals affected by the breach!