Any healthcare organization that stores, processes or transmits personal health information (PHI) is required to comply with the Health Insurance Portability and Accountability Act and safeguard all protected data. The related HITECH Act mandates securing a new regime of electronic health records (EHR) — and prescribes stiff penalties for organizations that fail to do so.
HIPAA features three components related to data protection: the Security Rule, the Privacy Rule and the Breach Notification Rule. Each one is encompassed by the overarching Omnibus Rule, which took effect in 2013 and ushers in enforcement of business associates for the first time.
This rule dictates the administrative, physical, technical controls necessary to secure electronic protected health information (ePHI), whether it is created, maintained, stored or in transit. Among the requirements: Covered entities and business associates must conduct risk assessments and prevent against unauthorized access.
This rule institutes safeguards for the control of personal health information, no matter its format: oral, written or electronic. Broadly, it sets limits for the disclosure of patient information without their consent and spells out the rights patients have over their data.
This rule orders HIPAA-covered entities and their business associates, in the event of a data breach involving ePHI, to notify affected individuals, the secretary of the U.S. Health & Human Services Department (HHS) and, in some cases, prominent media outlets – unless they can prove there is a low risk of compromise based on a risk assessment.
People expect healthcare organizations to keep their personal health information confidential and safe from data breaches and other exploits. Healthcare organizations also have self-interest at heart because penalties for non-compliance with HIPAA / HITECH can be substantial. In cases of “willful neglect,” a HITECH penalty can be at least $50K per violation up to a total of $1.5 million in a calendar year. Other breach-related costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.
Your organization’s compliance program should address two issues: (1) selecting and deploying security controls that meet HIPAA / HITECH requirements, and (2) providing a way to regularly audit the status of those controls to ensure continuous protection of PHI and EHR, and ongoing compliance. Providing an independent assessor with audit-quality documentation of these steps and your security measures simplifies compliance audits.
You have questions? Contact us today, we’re here to help. Just submit your details and we’ll be in touch shortly.