HIPAA Crackdown on Security Hacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.workforce.com/articles/21256-hipaa-crackdown-on-security-hacks

Health care security breaches are on the rise with headline-making hacks at
insurer Anthem Inc. and NewYork-Presbyterian Hospital, giving employers
reason to be concerned.

This year, the Department of Health & Human Services’ Office for Civil
Rights is conducting Health Insurance Portability and Accountability Act,
or HIPAA, compliance audits, and HR departments need to prepare, according
to Gordon Rapkin, CEO of Archive Systems Inc., an HR document manager based
in Fairfield, New Jersey. The office hasn’t announced when audits will
commence.

“Employers need to know that they are obligated to protect this
information, they must show that they are capable of protecting this
information and prove that their employees have been trained to do so,”
Rapkin said. “You must be able to prove all that in a very short window of
time if you’re unfortunate enough to be selected for an audit.”

In 2011 and 2012, the HHS conducted a pilot phase of the audits selecting
150 “covered entities,” which include providers and health plans, including
employers that sponsor them, according to the HHS. Those chosen have 10
business days to provide supporting documents, Rapkin said.

“You don’t want to be in a situation where you are tagged for an audit and
can’t respond in a timely fashion,” he said. “That triggers fines, and the
fines have been hefty. It’s like a disaster plan. It’s incumbent on
organizations to have one in place.”

In 2014, Columbia University and NewYork-Presbyterian Hospital were fined a
combined $4.8 million for failing to secure the health records of more than
6,000 patients. In 2013, Anthem Inc. (then known as WellPoint Inc.) was
fined $1.7 million when the health records of more than 600,000 patients
were made available to unauthorized users.

Rapkin urged employers that have not yet conducted a HIPAA risk assessment
to do so as soon as possible.

He said employers should focus on training employees to understand HIPAA
policies and procedures and take an inventory of safeguards to protect
physical and electronic information. If a breach occurs, employers must be
vigilant about notifying individuals whose information was compromised.

“In the past it was easier to sweep things under the rug,” he said. “You
can’t hide by saying, ‘Well someone left a laptop at Dunkin’ Donuts, but we
don’t know if it’s been breached.’ You must notify any individual affected
even if you only have reason to believe that you’ve been breached.”

Initially HIPAA was about health information portability — the ability to
take records from one vendor or provider to another, he said. “It advanced
to be much more about security as requirements like the HITECH Act came
into play.”

The HITECH, or Health Information Technology for Economic and Clinical
Health Act of 2009, required that organizations publicly report breaches
that involve more than 500 patients, increased fines for violations,
mandated that the HHS conduct audits, and extended the rules to third
parties that work with health care organizations.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!