Any healthcare organization that stores, processes or transmits personal health information (PHI) is required to comply with the Health Insurance Portability and Accountability Act and safeguard all protected data. The related HITECH Act mandates securing a new regime of electronic health records (EHR) — and prescribes stiff penalties for organizations that fail to do so. Compliance entails deployment of security controls and processes to fulfill the laws.
The HIPAA Omnibus Rule
HHS OCR – HIPAA Security Rule
Privacy & Security – The New HIPAA Rule
Electronic Health Records: Privacy & Security
About HIPAA / HITECH
HIPAA is U.S. Public Law 104-191 — the Health Insurance Portability and Accountability Act of 1996. Congress created the Act to improve health care enabled by the nation’s health plans and providers. HIPAA mandates standards-based implementations of security controls by all health care organizations that create, store or transmit electronic protected health information. The HIPAA Security Rule governs protection of PHI. Organizations must certify their security programs via self-certification or by a private accreditation entity. Non-compliance can trigger various civil penalties, including fines and/or imprisonment.
HITECH is the Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations. It is directly related to HIPAA, and was part of the American Recovery and Reinvestment Act of 2009. HITECH requires healthcare organizations to apply “meaningful use” of security technology to ensure the confidentiality, integrity, and availability of protected data. Detailed requirements for HIPAA and HITECH are managed by Department of Health and Human Services (HHS).
People expect healthcare organizations to keep their personal health information confidential and safe from data breaches and other exploits. Healthcare organizations will also have self-interest at heart because penalties for non-compliance with HIPAA / HITECH can be substantial. In cases of “willful neglect,” a HITECH penalty can be at least $50K per violation up to a total of $1.5 million in a calendar year. Other breach-related costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.
Security is a crucial part of HIPAA / HITECH. The Department of Health and Human Services states, “[It] is important to recognize that security is not a one-time project, but rather an ongoing, dynamic process.” HIPAA therefore requires security-related processes, many of which are often best implemented with automated technology. HIPAA regulations do not mandate particular security technologies. Instead, they specify a set of principles for guiding technology choices — principles that mirror those underpinning the on-demand vulnerability management and policy compliance solutions.
Your organization’s compliance program should address three issues:
Providing an independent assessor with audit-quality documentation of these steps and your security measures simplifies compliance audits.
Fill In The Form Below for industry news, information about our services, events, webinars and more.