With HIPAA, Inaction Can Cost You
- Diane Evans
- 1 day ago
- 1 min read
A new federal case under the Health Insurance Portability and Accountability Act (HIPAA) points to the importance of good-faith efforts to avoid data breaches. Time and again, breaches happen – and organizations pay a price – because compliance efforts fall short.
At its core, HIPAA is a baseline plan for applying proven practices that prevent data intrusions.
This latest case, reported this week by the U.S. Office for Civil Rights, underscores the preventability of one of the most common HIPAA violations: That of impermissible access to private information by an insider.
OCR’s Acting Director Anthony Archeval is on point in saying that “allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”
In this case, a patient was contacted by an unknown individual who had photographs of her printed medical records, as well as a video of someone scrolling through her medical records on a computer screen.
OCR’s investigation pointed to culpability on the part of the healthcare provider, including:
Failing to implement policies and procedures for authorized access to private information as required;
Failing to reduce risks and vulnerabilities to a reasonable and appropriate level, and,
Failure to regularly review records of information system activity.
In addition to an $800,000 settlement, remediation will include a compliant risk assessment, better training and risk management.
These are all things within the power of an organization to do in advance - both to meet federal standards and to protect individuals served. Privacy efforts shouldn’t be viewed solely in terms of meeting regulations. Fundamentally, the objective is to uphold trust.
#Datamanagementlong-termcare
Comments