In the Wake of a Healthcare Data Breach

We hear all about what went wrong when a (typically unencrypted) HIPAA violation occurs – who left what mobile device where – what data was made publicly available, who’s to blame. But what’s more important is remediation, and how someone or some organization chooses to react after the event in order to prevent future incidents.

HealthCareInfoSecurity.com reports on the recent Utah Department of Health breach in which foreign hackers were able to access and remove 24,000 files of electronic protected health information (ePHI) on a server due to a configuration error [read more about Server Hack Leads to HIPAA Violation by Utah Department of Health]. Utah Gov. Gary Herbert recently announced his action plan toward security and compliance:

1. Replaced the state’s chief technology officer
2. Hired Deloitte & Touche to conduct an independent security audit (also known as an independent HIPAA audit) across all of the state agencies
3. Encryption of not just data in transit, but all stored data
4. Plans to hire a public relations firm to help handle crisis communications
5. Improvement of security controls, including network monitoring and intrusion detection capabilities
6. Created a new position – a health data security ombudsman (may also be known as a privacy and security officer) to deal with affected individuals

The Office of the National Coordinator for Health Information Technology (ONC) recently revealed a ten-step plan for healthcare organizations to follow in order to protect PHI – the second step requires compliance-minded companies to:

Step #2 – Provide Leadership
Designate a privacy and security officer. This person will be responsible for developing and maintaining your privacy and security practices to meet HIPAA requirements. This person should be part of your EHR adoption team and be able to work effectively with others. In a very small practice, you may be the privacy and security officer or your practice manager may carry both roles. Be sure to:

• Record the assignment in a new security documentation, even if you are the officer.
• Discuss your expectations and their accountability. Note that you, as a covered health care provider, retain ultimate responsibility for HIPAA compliance.
• Enable your designated security person to develop a full understanding of the HIPAA Rules so (s)he can succeed in his/her role.

While HIPAA has been around for 16 years, it hasn’t always been available in the form of an actionable plan, or even very easy to understand. The ONC has created a Guide to Privacy and Security of Health Information as a comprehensive roadmap to compliance and to understanding the implementation of the more complex legal requirements.

Another great guide to outsourcing your HIPAA hosting to a third-party business associate is Online Tech’s HIPAA Data Centers white paper. The document addresses cost-benefits and other advantages of outsourcing while weighing them against the risks.

It also provides valuable technical and business advice for any healthcare organization that needs to secure ePHI while meeting compliance standards, with an example BAA (business associate agreement) and a data center cheat sheet simplifying what each audit means. Download the white paper here.

If you prefer to hear a dialogue between experts on the subject, including attorneys specializing in Health IT, sign up for our free, upcoming webinars scheduled in June. Find more details here:
FDA Regulation of Mobile Health Devices
Healthcare Security Vulnerabilities

References:
Utah Breach: Governor Takes Action
ONC’s Guide to Privacy and Security of Health Information (PDF)