Who would have thought back in 1990 that someone in China or Russia or anywhere would be able to steal health information in a hospital in Anytown USA and even hold it for ransom.
Healthcare seems to be the #1 target for hackers and ransomware and there are two (2) main reasons that make up the root cause.
Since we are talking about healthcare information we must talk about protected health information (PHI) and the HIPAA-HITECH-OMNIBUS Privacy, Security, and Breach Notification Rules. BI and Big Data analysis that includes PHI and its use and disclosure must be reviewed against the HIPAA security and privacy requirements and the breach notification requirements.
The numbers of individuals involved in recent breaches have been huge in relation to the magic number of 500. We all read about breaches involving millions of individuals. Some of the recent cyber attacks have potentially resulted in numbers up to 10 million. Compare that to 500, and you have to wonder if that metric is going to increase, and where will it all end. How big can future breaches become?
Journal of Healthcare Information Management – (JHIM) – Winter 2015 Used by permission from HIMSS. Download the JHIM PDF version of this article The authors have written a number of JHIM columns regarding HIPAA-HITECH-Omnibus, (HIPAA ,Heath Insurance Portability and Accountability Act; HITECH, Health Information Technology for Economic and Clinical Health) etc., and have focused at […]
It is hard to believe that the HIPAA Security Rule was written when most medical records were only in hard copy format. Today, HIPAA CEs and BAs must make sure they understand their current vulnerabilities that could impact how they protect PHI. We read about PHI breaches on a regular basis, and some have been huge. This kind of news has certainly caught the attention of healthcare leaders. The key is to continually have a program in place to assess changes that result from innovation and try to stay one step ahead of related potential vulnerabilities.
Could your organization be selected for an audit? The answer is obviously yes. So how do you prepare? We recommend that your organization conduct a document review and organize all your HIPAA privacy, security, and breach notification policies, procedures, plans and evidence of due diligence in one place for easy access to provide to OCR. Remember that OCR only provides a two-week notice. If your organizations documentation is not organized, two weeks may not be enough time to get ready for the audit.
The Omnibus Rule outlines significant changes to the relationships between covered entities and business associates, leading to a variety of compliance and vendor management challenges. This webinar provides attendees with an understanding of what has changed for business associates with the Omnibus Rule, and discusses how it changes the relationship between provider and vendor.
On January 25, 2013, the Office for Civil Rights (OCR) published their long awaited updates to the HIPAA Privacy and Security Rules. The formal name of the rules is “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule,” known to those that must implement its provisions and deal with its enforcement as the Omnibus Rule.
We should all know by now that the Office for Civil Rights (OCR) has been mandated to audit all HIPAA Covered Entities (CEs) and Business Associates (BAs), and we now know the main ingredients of the audits, the protocols, which are subject to change over time based on audit results. All CEs and BAs should begin a process now to prepare for an OCR audit based on the most current protocols. Why? Because once the OCR notifies you that your organization will be audited, you only have a couple of weeks to prepare.