Steps to Avoid Data Pitfalls of HIPAA Compliance
There has been a spate of healthcare related data breaches recently which has caused growing alarm in the healthcare industry as well as the population in general. There are over 400 incidents affecting more than 19 million individuals since 2009. More than 20% of these have involved Business Associates. These breaches have included:
- Probably the most famous case is the Terry Childs case which is a key example of actions by rogue employees. He is being charged with "providing a means of accessing a computer, computer system, or computer network …."
- The Utah Department of Health impacting about 280,000 individuals due to an internal processing error.
- 800,000 Child Support Records were compromised by California’s Child Support System.
- The Tricare Military Health program and its Business Associate, Science Applications International has affected almost 5 million individuals alone.
- Breaches at Healthnet, Nemours and Sutter Health also affected millions of individuals each.
Breaches are now causing contractual issues when inking an IT Business Associate. Allocating liability for confidential information to which a service provider had access to and any resulting data breaches is a major cause of concern. Breaches are having a direct impact on Healthcare related businesses including:
- Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people
- The Minnesota attorney general brought the first formal enforcement action against a business associate, Accretive Health, Inc., for an alleged violation under the Health Insurance Portability and Accountability Act
The biggest unknown, of course, is how much of this crime goes unreported. It’s difficult to catch someone who uses legitimate authority to accomplish mischief that might be mistaken for normal activity under ordinary circumstances. No one has ventured to guess the cost of damage insiders really cause. Many organizations have not yet invested in Risk Assessments, even though the HIPPA and HITECH requirements have been known for some time. Organizations believe that they have proper policies in place, but have failed to test them especially where Business Associates are concerned. On top of this, the industry is entering a new period of uncertainty. Under new federal regulations, EHR systems are required to replace most paper-based health records by 2015. A recent study indicated that the healthcare IT market is entering a period of rapid growth fueled by new software development and government compliance regulations. What to do: There are a number of steps that organizations need to take in order to ensure that data privacy is maintained and business viability is not impacted. These include:
- Monitoring Network Traffic and Event Logs for unusual patterns
- Perform a Sensitive Data Analysis
- Incorporating Data De-Identification techniques wherever least use principals would apply (ie: test environments, sharing of data)
- Implement Data Leak Detection and Prevention Products.
- Evaluate entitlements management processes and procedures
- Make use of encryption wherever sensitive data resides.
- Develop a Data Management and Enterprise Governance, Risk and Compliance framework.
If your organization does not have staff that is knowledgeable in these areas, consider hiring or employing firms that have experience in the Financial Industry where this has been a priority for some time.