Solutionary: Intelligence Advisory

Intelligence Advisory
Protecting Sensitive Healthcare Data

The Facts

	Overall data breaches in 2008 climbed to an all time high and increased 69% over the same period of time a year ago.
	Healthcare/medical breaches were up again this year with 155 reportable data breaches.
	0ver 80% of all data breaches were electronic with the remaining 20% being paper/physical breaches.
	Insider thefts rose a whopping 263% over the same period of time a year ago.
	In July 2008 an organization required to comply with HIPAA agreed to pay a $100,000 HIPAA fine--as well as improve its medical data security--after failing to properly secure data backup tapes, disks and laptops.


Who's Responsible?

	One common question that often comes up looks at the responsibility of software developers. According to Edward Maggio, Professor of Criminal Justice at the New York Institute of Technology, “Software developers have a legal obligation to ensure their products and services follow government regulations and industry standards. Developers that attempt to avoid liabilities that may arise with their customers through disclaimers and contract phrases may be acting unethical and illegal.” He went on to explain, “Imagine if building contractors built structures not up to code and then attempted to thwart a future lawsuit by arguing they used disclaimers.”


Bottom Line

	Perhaps the single most important part of complying with HIPAA is having a true information security program in place, active management of the program, and documentation regarding all steps (i.e., audits, assessments, remediation) to meet compliance.

Content Contributor:
Technolytics www.technolytics.com

Technolytics is a security research and intelligence provider and Solutionary's partner.

Thousands of US organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. If you are one of those organizations, it is critical that you develop an understanding of the rule and take the necessary steps to become compliant.

Those who do not comply with the HIPAA security requirements are subject to two different types of penalties. There are civil penalties of $100 per violation up to $25,000 per year for each requirement violated. And there are criminal penalties ranging from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in prison.

In addition, HIPAA violations can bring organizational consequences that have even greater impact.

Loss of Certification:
For hospitals, a real possibility of not managing HIPAA compliance is the loss of Joint Commission certification. Loss of certification can lead to procedural restrictions, Medicare & Medicaid re-imbursement difficulties, and increased insurance costs.

Negative Publicity:
Organizations that violate the security requirements by not adequately protecting their customers' healthcare data may find themselves the subject of public media (websites, newspaper, radio, television) scrutiny.

Loss of Customers:
Patients are now aware of their rights under HIPAA and want their electronically protected healthcare information (EPHI) protected. Patients who have their healthcare records breached are likely to find other healthcare providers. In addition, other potential customers may avoid doing business with organizations they believe do not adequately protect EPHI. Word of mouth is an influencing factor and negative opinions will impact an organization’s performance.

Business Relationship:
The HIPAA requirements state that covered entities must permit other organizations to create, receive, maintain, or transmit EPHI on their behalf, but only if the second organization can appropriately safeguard the sensitive information. Those with whom you have a business relationship may be unwilling to exchange EPHI with you if they feel you do not adequately protect the data.

Legal Liability:
The federal government has put forth a set of requirements prescribing how EPHI must be protected. Attorneys are prepared to use these requirements to file civil suits against organizations that are not compliant.

Organizations must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their electronic protected health information against any reasonably anticipated risks. Several businesses who thought they did not fall under those required to comply with HIPAA found out they were wrong. In several instances, the HR department handled healthcare claims, sickness/maternity leave requests and other associated healthcare related processes that required compliance with the HIPAA information security requirements. Even organizations that do not fall under HIPAA requirements should be aware of state data breach/protection regulations that still apply.

For more information about HIPAA and other compliance and security issues contact Solutionary today.

866.333.2133 | www.solutionary.com