The University of Rochester Medical Center (URMC) reported breaches – in 2013 and 2017 – after it discovered that protected health information (PHI) had been disclosed through the loss of an unencrypted flash drive, and the theft of an unencrypted laptop.
The Office for Civil Rights (OCR) determined that URMC had failed to: conduct risk assessments; implement sufficient IT security measures; and, use device, media and encryption controls. URMC was held accountable, to the tune of $3 million, plus corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," Roger Severino, OCR Director, said in a Nov. 5, 2019, press release from the U.S. Department of Health and Human Services (HHS). "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."
This settlement is but one of many examples. Don’t let it happen to your organization. Healthcare leads all industries in cybersecurity attacks and data breaches. Frustratingly, most incidents originate inside the organization.
Technical, physical and administrative safeguards to protect sensitive information are mandated by HIPAA 2020. Your organization is required to complete self-audits, and to vet vendors carefully.
Don’t make the mistake of thinking your organization’s data breach will be covered by general insurance. Insurance often is contingent on performing risk assessments, also required by HIPAA, and it’s a good idea to get help with this from an experienced third-party like Emerge IT services.
Organizations working in healthcare must implement “reasonably appropriate” protections to secure patients’ personal health information. Reasonably appropriate protections include:
A healthcare organization must conduct six self-audits a year, and five for business associates. These audits include:
Before it is permitted to share PHI with business associates (BAs), healthcare groups have to vet the BAs security measures to make sure PHI protection is in-line with HIPAA standards. This can be done through a Vendor Questionnaire. If you do not vet your vendors, you can be held responsible when one of your BAs incurs a healthcare data breach.
In addition, a Business Associate Agreement, a legal document stating that each party agrees to be HIPAA-compliant -- and each is responsible for its own compliance -- must be executed or both entities will be held responsible, regardless of which one has a security breach.
Social media is an often-missed area of HIPAA compliance concerns. Social media must be treated as another communication channel in your organization. Potential violations include: sharing patient photographs without written consent, posting rumors, or publishing any patient health information.
Cybersecurity threats in healthcare are real, and failing to comply with HIPAA standards can have costly consequences. Emerge IT services can assess all of your network and PHI cybersecurity needs. For more information, give us a call at 859-746-1030.