05-22-12 | Blog Post
We hear all about what went wrong when a (typically unencrypted) HIPAA violation occurs – who left what mobile device where – what data was made publicly available, who’s to blame. But what’s more important is remediation, and how someone or some organization chooses to react after the event in order to prevent future incidents.
HealthCareInfoSecurity.com reports on the recent Utah Department of Health breach in which foreign hackers were able to access and remove 24,000 files of electronic protected health information (ePHI) on a server due to a configuration error [read more about Server Hack Leads to HIPAA Violation by Utah Department of Health]. Utah Gov. Gary Herbert recently announced his action plan toward security and compliance:
The Office of the National Coordinator for Health Information Technology (ONC) recently revealed a ten-step plan for healthcare organizations to follow in order to protect PHI – the second step requires compliance-minded companies to:
Step #2 – Provide Leadership
Designate a privacy and security officer. This person will be responsible for developing and maintaining your privacy and security practices to meet HIPAA requirements. This person should be part of your EHR adoption team and be able to work effectively with others. In a very small practice, you may be the privacy and security officer or your practice manager may carry both roles. Be sure to:
While HIPAA has been around for 16 years, it hasn’t always been available in the form of an actionable plan, or even very easy to understand. The ONC has created a Guide to Privacy and Security of Health Information as a comprehensive roadmap to compliance and to understanding the implementation of the more complex legal requirements.
Another great guide to outsourcing your HIPAA hosting to a third-party business associate is Online Tech’s HIPAA Data Centers white paper. The document addresses cost-benefits and other advantages of outsourcing while weighing them against the risks.
It also provides valuable technical and business advice for any healthcare organization that needs to secure ePHI while meeting compliance standards, with an example BAA (business associate agreement) and a data center cheat sheet simplifying what each audit means. Download the white paper here.
If you prefer to hear a dialogue between experts on the subject, including attorneys specializing in Health IT, sign up for our free, upcoming webinars scheduled in June. Find more details here:
FDA Regulation of Mobile Health Devices
Healthcare Security Vulnerabilities
References:
Utah Breach: Governor Takes Action
ONC’s Guide to Privacy and Security of Health Information (PDF)