Cyber Security Blog & News

Medical Providers: You May Be in Violation of HIPAA & HITECH Security Laws and Not Know it…Yet!


How well do you know the requirements for the Health Information Technology for Economic and Clinical Healthcare (HITECH) Act? How about the penalties for noncompliance? As a covered entity under HIPAA, a medical provider is responsible for any data breaches cause by business associates (BA), such as those who handle eligibility, enrollment, claims management, and IT service for the plan.

The penalties for HIPAA/HITECH violations and data breaches have grown in severity over the past few years, from a maximum of $25 thousand to $1.5 million. Add the cost of class action lawsuits, cyber incident response, remediation, and media notification and we’re talking millions! Basic cyber security practices are needed to protect the confidentiality, integrity, and availability of health information in electronic health record (EHR) system, regardless of how they are delivered—whether installed in a provider’s office or accessed over the Internet.

Assure You Comply with MU Privacy & Security Requirements
The HITECH Act promotes the adoption and meaningful use (MU) of health information technology and adds new protections to the regulations from the original 1996 HIPAA authority. These regulations include extending enforcement to BAs and covered entities and setting new limits on the use and sale of individual’s information. As healthcare providers, it’s important to not only understand the rules, but to take the appropriate measure to protect and secure information, and educate staff and patients on new policies and procedures. The real issue is the time it takes medical providers to enforce the requirements associated with HIPAA/HITECH. The challenges expressed by most providers include:

• Getting the employees properly trained
• The cost associated with meeting the requirements
• Obtaining the new software and other IT resources
• Understanding all of the requirements
• Encrypting data appropriately
• Approaching and monitoring BAs

Identify Risks to Your Medical Practice
As a cyber security company, we highly recommend hiring a professional to help implement the requirements. Security professionals are trained to identify all security vulnerabilities and threats, along with assessing business operations and employee habits and practices that can place ePHI at risk. At minimum, you can provide a security review by enforcing the following requirements:

• Assign a Security Officer
• Conduct a Security Rick Analysis
• Develop an Action Plan
• Develop clear and meaningful training
• Understand BA relationships and agreements

Initiation and maintenance are the two important phases of setting up the appropriate safeguards. This includes identifying risks and implementing a strong mitigation strategy that is monitored, cyclical, and continuously assessed, especially as IT software and applications are updates or replaced.