Healthcare businesses have an extra layer of IT compliance requirements because of the sensitive nature of the patient information they possess. As many of these enterprises have learned, the government is serious about enforcing compliance with HIPAA regulations. One healthcare firm learned this the hard way, when one stolen laptop and careless use of the cloud resulted in a $2.7 million fine. Compliance is complicated, and the risks are huge in healthcare, so this is an area in which an IT consultant should be considered to make sure that your medical business is compliant. Let’s look more closely at the $2.7 million cautionary tale.
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, with the primary function of letting employees keep health insurance when they change or lose their jobs. That’s just the “portability” half of it. The “accountability” half includes stipulations for secure treatment of electronic medical records. The Department of Health and Human Services has settled eight HIPAA cases so far in 2016, which indicates an accelerated pace from the average of about four per year since 2008. The government is clearly getting serious about this.
Oregon Health & Science University (OHSU) is the latest healthcare organization to learn about HIPAA the hard way, with a $2.7 million fine and a three-year corrective action plan. This is the result of two separate incidents that compromised the data of more than 7,000 people. In the first incident, in February 2013, an unencrypted laptop was stolen from a vacation rental home in Hawaii at which an OHSU surgeon was staying. It wasn’t reported if the laptop was originally targeted because of the nature of the patient information on it, but whatever the case, this was a lapse in the security required by HIPAA for patient data. The second incident also occurred in 2013, and in this case, OHSU used a cloud-base storage service on which they posted unencrypted spreadsheets of patient information. The cloud service (from Google) had standard commercial security measures in place, but OHSU had failed to ensure that the arrangements met HIPAA requirements.
It is worth noting that these infractions are exactly the kind of scenario that the right IT consultant can prevent. A properly encrypted laptop with the latest mobile security features would have prevented the problem with the stolen laptop. (Ideally, you would even have policies and procedures that don’t let sensitive data travel with the employees.) Similarly, an IT consultant with expertise in HIPAA compliance would have known what was needed for cloud services to meet the HIPAA requirements.
OHSU did not take these precautions, so now the corrective action plan that was dictated along with the fine will help them learn. This includes a thorough assessment of risks and vulnerabilities, development of a risk management plan, updates to HHS on their status and progress, and security awareness training for all employees. Hopefully, the burden that OHSU faces over the next three years will encourage other healthcare businesses to take HIPAA compliance seriously. The right IT consultant is likely to be a key part of the solution.
VITECH is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news, whether it is HIPAA compliance or any other IT issue. Contact us or send us an email for more information.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.