You Need To Comply With HIPAA And You Probably Don t Even Know It!

Transcription

1 You Need To Comply With HIPAA And You Probably Don t Even Know It! If a hospital or healthcare institution is one of your customers/clients, I hope you changed the way you approached the Health Insurance Portability and Accountability Act (HIPAA) in 2013; especially after the Omnibus Final Rule that released in January HIPAA now affects so many industries, other than just Healthcare, and chances are that companies in these industries either don t know that yet or know it but don t know what to do next. I Don t Have Time For This! well of course you don t! According to the Omnibus Final Rule the compliance deadline after which the full force of the new rule came into effect was September 23, The one thing you should surely stand up and take notice of in the new provisions is the direct liability, without limitation, of Business Associates and their subcontractors. Any third-party vendor or service provider, or its subcontractor, who handles Protected Health Information (PHI) needs to comply with HIPAA.

2 In plain English, even if you just happened to create, receive, maintain, or transmit PHI, then you need to be HIPAA compliant; even if a Business Associate passed on PHI to a subcontractor, who then passed it on to its subcontractor, then all the companies in that chain too need to be HIPAA compliant. Oh, and given that the September deadline has passed, you should actually be already compliant! Here s a quick way to identify if you re affected Do you create, receive, maintain, transmit, or even as much as touch PHI for a brief second? If yes, go on to the next bullet. Are you a courier service or an Internet Service Provider? If no, then you need to be HIPAA compliant. This is bad news for the Business Associates, who now bear the full onus of ensuring that they and their subcontractors (that entire chain we just talked about) secure the PHI they deal with. Business Associates The Largest Sources of Breaches HealthcareInfoSecurity reported that about 22% of breaches reported on the Office of Civil Rights (OCR) website from September 2009 to August 2013 have involved Business Associates. The fact is that Business Associates makes a great target because they haven t had to deal with the full force of HIPAA compliance and often have lax security measures in place to protect PHI. Given the way the HIPAA Omnibus Final Rule has gone after the entire subcontractor chain, compliance will have a whole new meaning for Business Associates and their subcontractors. How Bad Is It? Very bad! The direct monetary penalty impact of not being in compliance could be a few million dollars, but the breach notification clauses in HIPAA and HITECH will mean some very bad publicity in the news for your organization. It s very difficult to resurrect back to normal after going through that.

3 On Another Note Obamacare! By now, we re pretty tired of hearing about the torrent of glitches, hiccups and bugs that have piggybacked the Affordable Care Act (aka Obamacare ) via its HealthCare.gov website. Yes, most of us know that the website has glitches and was down and so on, but you probably aren t aware that there were some glaring security vulnerabilities in the system as well. The site had error messages that relayed personal information without encryption. Remember: This site holds a great deal of personal information, from names, social security numbers, addresses and phone numbers to social security numbers, income, employers names and details about countless individual family members of anyone who signed up. Even the verification system could be bypassed without access to the actual account. Protect Your Personal Information Our take isn t really about what s happened. Instead, we re interested in pointing out something much more important! It s time for some serious personal risk management. All HealthCare.gov users (past, present and future) would best take precautions to ensure that they don t become victims of identity theft Actively monitor your credit reports. Don t use the same password for everything! Also, please change all passwords that you ve used on HealthCare.gov or related state sites if you re one of those who use the same password everywhere. The Federal Trade Commission (FTC) offers some great guidelines to help you protect your information. Protect Your Customers and Clients If you re reading this, reach out to your customers and clients and show them that you truly care about their privacy and security. Make sure they don t become victims of a personal data breach.

4 CEOs, CIOs, and Board Members Touch base with your customers and clients and let them know these best practices especially that using the same password on the ACA site as the one they use for , banking, etc. is not smart. Insurance Companies Since the ACA is essentially setting up a sort of marketplace to buy insurance, you should be offering added protection to customers who are applying online through HealthCare.gov. Introduce more robust checks and balances into the insuranceacquisition process than you normally would, especially given the fact that people who used the first version of the site could have potentially exposed and compromised their data. Protect Your Business! Protect Yourself!

5 Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services Cyber Security & Information Assurance Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Universities Carnegie Mellon University Massachusetts Institute of Technology State University of New York - Albany University of Miami Certifications Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) Six Disciplines Strategic Planning Coach GIAC Security Essentials Certification GIAC Systems and Network Auditor Payment Card Industry Professional (PCIP) PCI Qualified Security Assessor (QSA) Project Management Professional (PMP) ISO/IEC 27001:2005 ISMS Lead Auditor Certified in Risk and Information Systems Control (CRISC) Information Technology Infrastructure Library (ITIL) v3 Certified Public Accountant (CPA) Some of our Clients Government Department of State - USAID Department of Defense - DeCA Department of Defense - US Army INSCOM Department of Homeland Security - FLETC Department of Treasury - BPD Department of Treasury - OCC Dallas Area Rapid Transit (DART) Metropolitan Washington Airports Authority State of Kansas State of Mississippi State of Oregon University of Texas - Pan American West Virginia State Treasurer s Office Private Assurant Solutions Bacardi-Martini, Inc. Banco Santander Banco Itau Europa International Banesco Biltmore Hotel Brightstar Corporation Carnival Cruise Lines HEICO Aerospace Jackson Memorial Hospital Laureate Education Mount Sinai Medical Center Nova Southeastern University SONY Electronics Latin America Tracfone Wireless University of Miami XTec, Inc.