Call Us (877) 740-5028
Call Us (877) 740-5028
To address the question of whether or not to use data encryption when it comes to meeting HIPAA compliance and keeping patient health information (PHI) protected, let’s revisit the Health Insurance Portability and Accountability Act of 1996 (HIPAA): A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv)) If you choose not to encrypt data, the HIPAA Security Rule states you must implement an equivalent solution to meet the regulatory requirement. The law leaves encryption open to interpretation since covered entities vary when it comes to network and network usage, depending on the type and size of business. While HIPAA and HITECH address the security and privacy of PHI with more of a policy and procedures-oriented approach with no strict parameters for what type of technology to use, encryption is typically considered a best practice when it comes to protecting sensitive data. A few recommendations when it comes to data encryption: Don’t use public FTP (File Transfer Protocol) if you need to transfer patient data to and from payers or other business associates. To err on the safe side would be to combine two methods of encryption –…
In addition to redefining the scope and liabilities of business associates in the healthcare industry, the final HIPAA omnibus rule includes revisions to the penalties applied to each HIPAA violation category. While the American Recovery and Reinvestment Act of 2009 (ARRA) initially established a tiered penalty structure, it hasn’t been revised until now. Section 160.404 refers to the amount of civil monetary penalty as administered under the HITECH (Health Information Technology for Economic and Clinical Health) Act. The original penalty structure used to be: VIOLATION TYPE MIN. PENALTY MAX. PENALTY Did Not Know $100/violation; annual max of $25,000/repeat violations $50,000/violation; annual max of $1.5 million Reasonable Cause $100/violation; annual max of $25,000/repeat violations $50,000/violation; annual max of $1.5 million Willful Neglect – Corrected $10,000/violation; annual max of $250,000/repeat violations $50,000/violation; annual max of $1.5 million Willful Neglect – Not Corrected $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 m The new penalty structure is as follows: VIOLATION TYPE EACH VIOLATION REPEAT VIOLATIONS/YR Did Not Know $100 – $50,000 $1,500,000 Reasonable Cause $1,000 – $50,000 $1,500,000 Willful Neglect – Corrected $10,000 – $50,000 $1,500,000 Willful Neglect – Not Corrected $50,000 $1,500,000 One-time violations stay under $50k, but repeat…
The following is an excerpt from our PCI Compliant Data Center white paper, outlining only some of the PCI audited data center requirements. For a full list of the requirements, including high availability, secure network and secure server environment requirements, download our white paper today. 3.1.1.Requirements 3.1.2. PCI Audited Data Center Requirements The following PCI compliant data center requirements are essential for a multi-layered approach to security and availability of critical data and applications. If outsourcing, ensure your PCI hosting provider offers each of the following: 3.1.2.1. Third Party Independent PCI DSS Audit Report A PCI hosting provider should be willing to share a copy of their audit report under NDA to ensure they are following compliant policies and procedures. Ask your PCI hosting provider if they can provide a copy of their independent audit report detailing the controls implemented to meet the 12 PCI DSS requirements. According to the PCI Security Standards Council: For those entities that outsource storage, processing or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider. Be…
What is Two-Factor Authentication? The simplest example may be the use of an ATM/debit card – this combines two factors; one is something you own (the card) and the other is something you know (the PIN). Employees and other users may need to log into a private network to access data from a remote location, using a VPN (virtual private network). In this scenario, one authentication factor includes logging into a web-based system with a username and password. The second authentication factor may include the use of a cell phone – with a smartphone, you can register your phone number with the system and receive a request to approve. Or, by using a passcode via text message, you can log into the system with the randomized numbers sent to your phone. You can even answer a phone call and press a key in order to authenticate you are the authorized account holder. There are other authentication factors that can be used – for example, biometrics requires something specific to you, from a fingerprint to voice recognition. Or, you can use something physical you own, like a keyfob. Who’s Using Two-Factor Authentication? One well-known example of a company using two-factor is Google…