• Insights
  • Recent Posts
  • Popular Posts
  • Popular Tags

  • acutecareprovidersIn 2013, a covered entity reported to the U.S. Department of Health and Human Services Office for Civil Rights  that one of its workstations was infected with a malware program. This resulted in the impermissible disclosure of 1,670 individuals’ electronic protected health information. The ePHI included names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes.

    The covered entity, a hospital in the Northeast, determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because the organization did not have a firewall in place.

    This is a common, basic lapse in compliance of covered entities. So, let’s examine the HIPAA settlement related to this organization. to better understand how you can improve your HIPAA compliance program. (more…)

    From the Experts, Security, Solutions

    , , , , , ,

    The Bar for HIPAA Compliance

    , Chief Executive, ecfirst

    health2Based on the frequency and amount of HIPAA fines in 2016, one thing is clear, very clear: the lack of a credible HIPAA compliance program for an organization today, will lead to an increase in business risk.

    Multiple alleged HIPAA violations resulted in a $2.75 million settlement with the University of Mississippi Medical Center (UMMC). HIPAA fines typically are in the seven figures. In addition, it always includes a corrective action map (CAP), which requires a comprehensive HIPAA compliance program, mandated with attestation from an organization’s officer over the duration of the CAP period. The duration of the CAP period is typically a minimum of two years, more likely, three years.

    The recommendation to senior leadership: select a security framework and establish HIPAA compliance within the context of that framework. There are essentially three options for security frameworks: HITRUST, ISO 27001 and NIST. I would recommend HITRUST. Be deliberate, disciplined, and steady to get HITRUST certified.

    Senior executives must treat HIPAA compliance as a life-cycle, as a process. It will lower business risk!

    Let’s examine the settlement related to UMMC to better understand how this impacts where you need to set the bar for HIPAA compliance based on Office for Civil Rights (OCR) enforcement of the regulation. (more…)

    From the Experts

    , , , , , , , , , , ,