Companies who routinely store sensitive health or other personally compromising data, and who do not employ adequate IT security measures to protect said data are putting themselves at risk of an HIPAA audit. What’s an HIPAA audit; you may ask? This is when the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), citing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules, sends you a notice that states, in part, “your organization has been selected for a desk audit of your compliance with the HIPAA Rules.” What this entails is the OCR then requesting you, through a link to one of their own secured servers, to upload certain compliance documents that show your organization is taking the appropriate and lawful actions and measures necessary to protect the personal health information (PHI) and other secure, sensitive data of your clients, patrons or other type of customer whose health information privacy may be compromised.
How Do I Know If I Am in Compliance?
This is a question many organizations (or their CIOs and CISOs) are (or should be) asking, following the recent settlements reached with Oregon Health & Science University (OHSU) and the Catholic Health Care Services of Philadelphia regarding the theft and exploitation of sensitive data on their patrons — and thousands of patients in the OHSU case. This sensitive data included:
- Patient medication schedules (CHCS)
- Patient diagnoses and procedures (CHCS)
- Patient social security numbers (CHCS and OHSU)
- Information regarding family members and guardians (CHCS)
- Unauthorized use of unencrypted spreadsheets of patient information over Google (OHSU)
- Daily surgery schedules on laptop stolen from OHSU surgeon
- Patient names, genders and age (OHSU)
- Medical record numbers and types of surgery (OHSU)
- Surgery dates, times and locations (OHSU)
- Name of the surgeon and anesthesiologist (OHSU)
The total settlements or HIPAA fines were $2.7 million for Oregon Health & Science University and $650,000 for CHCS of Philadelphia.
2016 — a Banner Year for HIPAA Fines
The misappropriation of HIPAA-protected data has already garnered more than $9 million in fines by mid-2016. Two more healthcare organizations have recently panicked over their own IT data thefts — University of Mississippi Medical Center in Jackson, Miss., and Granger Medical Clinic, in West Valley City, Utah — involving, respectively, yet another stolen, unencrypted laptop and 2,600 paper medical records scheduled for shredding, but which went missing. These are two more healthcare entities that could face HIPAA audits or fines should the missing data be deemed egregious enough of a breach after investigation.
Business Associates and “Covered Entities”
CHCS of Philadelphia is deemed a “Business Associate” under HIPAA laws because they provide ongoing management and IT services to six skilled nursing facilities. Business Associates of “covered entities” such as- healthcare facilities and university hospitals can be held liable in the event of a breach or violation of mandated security measures under HIPAA rules. According to HHS.gov, “A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
If you are a CIO or CISO of an SME or larger corporate entity, and your organization is in a potentially high-risk security situation that involves huge databases of personal health information, get secure with adequate IT security measures that will pass an HIPAA audit. QualityIP is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news. Contact us at (330) 931-4141 or send us an email at [email protected] for more information.