Questions? Call (855) 670-8780 or email security@compliancepoint.com   Visit us on LinkedIN  

Healthcare Data Breaches: What Preventative Solutions Do We Have?

 

February 25, 2016

 

 

In our last blog post, we discussed the prominence of data breaches in the healthcare industry. With so much of the attention being paid to breaches after-the-fact, what can a Covered Entity or Business Associate do to help prevent a data breach in the first place?

For many organizations that have had a breach occur in the past year, realization of their inadequacy of security controls around how they manage healthcare information, internally and externally, has come too late. Many times not happening until after OCR delivers their OCR Resolution Agreement, in which their investigations reveals findings around the occurrences and the settled resolution between OCR and the breached party. By the time this agreement is delivered/received and agreed to by all the affected parties, the damage has already been done. Monetary fines have been imposed and the breached party’s reputation has been tarnished.

The breached party has to implement the specifications relayed by the OCR in the agreement. These specifications have strict timelines, forcing the organization to enter into re-act mode immediately. The organization is now charged with running a business while containing and mitigating the effects of the breach, and at the same time remediating all deficiencies found by the OCR. With resources many times already being limited for these work efforts, the pressure on the breached organization becomes real.

Read More

Topics: Protected Health Information, Covered Entities, Business Associates, Privacy, PHI, HIMSS, Data Breach, Security, OCR, Security Framework, Breach, Healthcare Information, Data, ePHI

Violación de Datos Médicos: QUE SOLUCIONES PREVENTIVAS TENEMOS?

 

February 25, 2016

 

 

En nuestra última publicación (last blog post), hablamos de la importancia de las violaciones de datos en la industria de la salud.  Gran parte de la atención se presta en las violaciones después de que ocurren; que puede hacer una Entidad Cubierta o Afiliados Comerciales para ayudar a prevenir las violaciones de datos en el primer lugar?

Para muchas organizaciones, en las que han ocurrido violaciones de datos durante el último año, darse cuenta que sus controles de seguridad inadecuados respecto al manejo de la información médica, interna y externamente, ha llegado demasiado tarde. Muchas veces no ocurre hasta después que la  OCR hace entrega del Acuerdo de Resolución de OCR , que revela los hallazgos de sus investigaciones en torno a las ocurrencias y la resolución establecida entre el OCR y la parte vulnerada . Para cuando el acuerdo es entregado / recibido y aceptado por todas las partes afectadas, el daño ya está hecho. Multas monetarias pueden ser impuestas y la reputación de la parte vulnerada puede verse empañada.

Read More

Topics: Protected Health Information, Covered Entities, Business Associates, Privacy, PHI, HIMSS, Data Breach, Security, OCR, Security Framework, Breach, Healthcare Information, Data, ePHI

Healthcare Data Breaches: Who are the Key Players Enforcing PHI Requirements?

 

February 5, 2016

 

 

 In this blog series thus far, we’ve addressed the following questions:

  1. Who Needs PHI to Conduct Business?
  2. Who Wants PHI?
  3. What PHI IS Beyond the Scope of HIPAA?

In today’s post, I’d like to address who the key players are actively enforcing the requirements surrounding protected health information (PHI). One of these may surprise you!

First, we have The United States Department of Health and Human Services (HHS), also known as the Health Department. It is a cabinet-level department of the U.S. federal government tasked with protecting the

Read More

Topics: Protected Health Information, HIPAA, Health Information, Privacy, PHI, HITECH, Security, HIMSS16, FTC, OCR, Office for Civil Rights, HHS, Federal Trade Commission, Unfair and Deceptive Act, Health Breach Notification Rule

Healthcare Data Breaches: PHI beyond the Scope of HIPAA

 

January 20, 2016

 

 

In quick summary of the discussions through the blog series so far, PHI is individually identifiable health information that is held or transmitted by a Covered Entity or Business Associate. PHI can be any form or medium: electronic, paper, or oral and can include demographic information and relate to an individual’s past, present, or future physical or mental health or condition, the individual’s health care services received, or the payment status for those health care services.

Now, let’s discuss what PHI falls outside the scope of the HIPAA/HITECH requirements.

Although the HIPAA/HITECH requirements only apply to Covered Entities and Business Associates, it’s important to note that PHI may be redefined as personally identifiable information (PII) that applies to MANY different types of entities and different scenarios in which this information is used or disclosed for business purposes.

Exclusions to the definition of PHI as stated above, are education records (covered by the Family Educational Rights and Privacy Act), records as described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a Covered Entity in its role as an employer.

PHI also ceases to be considered PHI, and thus not protected under HIPAA, when certain elements are removed from this sensitive information. This is called de-identification of protected health information. There are two scenarios in which this occurs:

Read More

Topics: Protected Health Information, HIPAA, Covered Entities, Business Associates, Health Information, Privacy, PHI, HITECH, Data Breach, Security, HIMSS16, Personally Identifiable Information, De-identification, Health care, PII

Healthcare Data Breaches: Who Wants PHI?

 

January 12, 2016

 

 

In the previous blog post, we discussed the types of entities who need protected health information (PHI) to conduct their business or provide their services. Now, let’s discuss what entities or individuals are typically interested in obtaining this PHI.

Who is Interested in Obtaining PHI?

There is no single group of people or type of organization stealing PHI for unlawful purposes. However, by looking at the 18 PHI identifiers listed below, we can see that the type of information collected and protected under HIPAA can be used for many purposes that negatively affect those whose PHI is compromised.

Read More

Topics: Protected Health Information, HIPAA, Covered Entities, Business Associates, Health Information, Privacy, Privacy Rule, PHI, Data Breach, Security, HIMSS16, Information, healthcare, Illegal Use, Unlawful Use

Healthcare Data Breaches: Who Needs PHI to Conduct Business?

 

January 6, 2016

 

 

As promised in my introductory blog post, I will be writing a blog series exploring several issues regarding healthcare data breaches. Specifically, I will address the importance of proactively preventing them rather than reacting to them after the damage is done.

Who Needs PHI to Conduct Business?

Individually identifiable health information held or transmitted by a Covered Entity or Business Associate is protected under the HIPAA Privacy Rule and is formally called Protected Health Information (PHI).

PHI can be any record form or medium: electronic, paper, or oral. PHI can also include demographic information and relate to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the payment status for the provision of healthcare to the individual.

Individuals, organizations, and agencies that fall under the HIPAA definitions of a Covered Entity or a Business Associate must comply with the HIPAA/HITECH Rules in order to adequately protect the privacy and security of PHI while also providing individuals specific access to their PHI.

Read More

Topics: Protected Health Information, HIPAA, Covered Entities, Business Associates, Health Information, Business Associate Agreement, Privacy, PHI, HITECH, HIMSS, Data Breach, Security, healthcare

Subscribe to Our Blog Via Email

Recent Posts