Helpful information about cloud computing, cyber security and more, all at a glance.
To file a complaint for violation of your rights under HITECH or HIPAA, visit the Dept. of Health & Human Services website.
We’ve just launched our latest white paper on HIPAA Compliance! This white paper is ideal for executives and IT decision-makers seeking a primer as well as up-to-date information regarding hipaa compliance best practices and specific technology recommendations, including cloud-based hipaa compliant hosting options.
Read below for an excerpt about what is a hipaa violation:
There are all kinds of HIPAA violation cases out there – whether they violate the security, administrative or technical safeguards, data breaches often occur within certain parameters, as can be seen from research of the HHS reported breaches affecting 500 individuals or more.
|VIOLATION TYPE||EACH VIOLATION
||VIOLATIONS OF AN IDENTICAL PROVISION IN A CALENDAR YEAR
|Individual didn’t know they violated HIPAA||$100 – $50,000||$1,500,000|
|Reasonable cause and not willful neglect||$1,000 – $50,000||$1,500,000|
|Willful neglect but corrected within time||$10,000 – $50,000||$1,500,000|
|Willful neglect and is not corrected||$50,000||$1,500,000|
According to the final HIPAA modifications, in applying these amounts, the Department will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors.
Although this may be due to the fact that encrypted data breaches do not have to be reported, the vast majority of data breaches are due to stolen or lost data that was unencrypted. A common theme includes the data archiving method of using backup tapes to store patient health records.
While increasing and monitoring security of the storage facilities is important, another alternative is IT disaster recovery for the cloud. By eliminating tape backup, cloud disaster recovery can increase recovery time objectives (RTO) and restore your server data and applications in hours.
Two separate cases involved an employee leaving unencrypted backup tapes with PHI in their vehicles while parked off-premises. Another case was due to employees mistakenly sending PHI to contractors that posted the information publicly online. Still others include disclosing sensitive information on social media networks that could be personally identifiable.
Training, documenting and monitoring employee adherence to company security policies and procedures is extremely important and one of the easiest preventative actions an organization could take to avoid a data breach. While you should train your own employees, remember that part of due diligence in checking your business associates’ compliance is also verifying their employees have been trained. Ask your HIPAA hosting provider for the latest dates of their employee training.
Almost half of all data breach types can be attributed to the theft of physical records – 49 percent. When portable devices are unencrypted or not properly secured by passwords, pins and other security methods, the risk of a PHI breach increases considerably. Additionally, if you’re not backing up your data frequently, you can lose a lot of valuable patient records if you lose your laptop, smartphone, etc.
One solution is using a HIPAA compliant data center to host your data and applications securely in an offsite location with the appropriate technical, physical, logical and network security in place. With limited remote access, your data is safely stored off of your personal and portable devices while your servers are being managed and monitored by trained professionals.
Sixty-two percent of data breaches involved a business associate, according to HHS.gov, making the vendor selection process an essential step toward achieving full compliance.
Another mistake made in many HIPAA violation cases is the date of notification to HHS and affected individuals. HHS requires extensive documentation within 10 days of a data breach, with at least 15 specific components that relate to the covered entity’s internal investigation, policies and procedures, physical safeguards, risk assessment, and breach notification.