Thousands of laptops and other mobile computing devices are stolen every day. So if health providers can be taught anything from a recent HHS.gov news release, it’s this: you must comply with HIPAA Privacy and Security Rules to protect and secure health information—especially when using mobile devices.
Learn what every HIPAA covered entity should know about mobile devices containing Protected Health Information ( PHI).
Stolen unencrypted computing devices with patient PHI pose a significant risk for HIPAA liability.
As announced by press release on April 22, 2014, two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
Susan McAndrew, deputy director of health information privacy, never strays on OCR’s clear message:
(1) “Covered entities and business associates must understand that mobile device security is their obligation.”
(2) “Encryption is your best defense against these incidents.”
The consequences are significant if you ignore commonplace threats or fail to do the required work for safeguarding electronic PHI as these latest HIPAA settlements confirm.
Are you more exposed than you realize?
As discussed in our newest white paper for covered entity providers, data breaches are a constant threat. And the causes are widespread.
Besides theft, human error and malicious intent are working against you. Workforce members with the best of intentions can still be careless or make mistakes. Kroll, a leader in cyber investigations and breach incident response, examined data from cases handled for its U.S. clients in 2013 and found that 78% of healthcare cyber crises were tied to human error while 22% involved an act of malicious intent.
FBI sends its warning: The healthcare sector is vulnerable to cyber attacks.
In a recent Reuters article, we learn the FBI is also raising attention to the fact that healthcare providers are vulnerable to cyber attacks by hackers searching for Americans' personal medical records and health insurance data.
The article states, Demand for medical information “remains strong on criminal marketplaces, experts said, partly because it takes victims longer to realize the information has been stolen and report it, and because of the different ways the information can be used.”
Personal information, medical data, and health insurance credentials are valuable assets because they can be used to fraudulently bill for services or sold on the black market. The “PHI Project” recently estimated the average payout for defrauding a health care organization is $20,000 versus regular ID theft which nets only $2,000.
By taking proactive steps to avoid HIPAA violations, Steri•SafeSM helps you stay protected.
Certainly none of us can predict when theft or a careless mistake involving PHI will occur. On any given day, you can become a victim of the actions of a malicious insider or cyber crime ring. Thinking it will never happen to you is risky business now that relatively small breaches are resulting in hefty fines.
In the aftermath of a theft, unauthorized disclosure, hacking/IT incident, you don’t want OCR finding that you have deficiencies in your HIPAA compliance program. The best you can do: be proactive and strengthen your position by investing a reasonable amount of time and budget to ensure that your practice complies with foundational requirements under HIPAA/HITECH/Omnibus Final Rule.
Simply put, HIPAA obligates you to TEACH, DOCUMENT, ASSESS and SUSTAIN numerous compliance activities over time. And that’s where Stericycle helps. Our Steri•SafeSM Compliance in Action Loop is a proven cycle for evaluating your risks, training staff, documenting policies and sustaining HIPAA compliance over the long haul.
Conducting thorough privacy and security risk assessments is a critical step in meeting your Risk Analysis Requirements under the HIPAA Security Rule. But that’s just one aspect of our program. Our all-in-one HIPAA solution also addresses your needs for ongoing HIPAA training and policy documentation.
To hear more about how we’re helping HIPAA covered entities nationwide tackle Privacy, Security and Breach Notification Rule requirements, contact a HIPAA Specialist today.