Chat with us, powered by LiveChat

Implementing HIPAA’s Security Rule Safeguards — Part 1: Administrative Safeguards

Protect

What would you be willing to spend to pay off liability claims for breaching HIPAA laws? $10,000? $50,000? $100,000? Or you could prevent ever having to write that enormous check and save yourself thousands of dollars by using HIPAA compliance software.

In order to fully reduce and minimize liabilities, the smart choice is to use HIPAA compliance software. It is an efficient and affordable way to ensure your organization is HIPAA compliant, and it will keep you and your clients feeling assured and protected.

The U.S. Department of Human and Health Services regulates the maintenance and fulfillment of following these codes, which includes the HIPAA Security Rule. With the ever advancing of technology and methods of spreading information, making sure electronic protected health information remains safe and secure must be a top priority.

As part one in a three-part series, we will outline why it is vital to be compliant with HIPAA’s Security Rule and how to do so.

Administrative Safeguards

First on your list to implement are the Administrative Safeguards. The HIPAA Security Rule’s Administrative Safeguards focus on your organization’s internal security measures, ensuring you create a durable security foundation to best protect your patients’ information.

Below, we’ll outline are the ten areas which the Administrative Safeguards requires.

1. Security Management Process (45 CFR 164.308(a)(1)(i))

Recognize and scrutinize possible risks to ePHI. Every security means available must be implemented to minimize risks and any potential susceptibility to be leaked.

2. Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A))

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

HIPAA One is the simplest, most-automated and affordable comprehensive Security risk analysis on the market that guarantees compliance and reduces risk.   See www.hipaaone.com for more information.

3. Assigned Security Responsibility (45 CFR 164.308(a)(2))

Designate an official who is trustworthy and responsible to oversee the progress and execution of the organization’s policies and practices.

4. Workforce Security (45 CFR 164.308(a)(3)(i))

Only those authorized may be granted access to ePHI. This means the disclosure and use of ePHI comes only on a role-based access. To be compliant with the Privacy Rule, any access or disclosure of ePHI is on a need-to-know basis.

5. Information Access Management (45 CFR 164.308(a)(4)(ii)(A))

Identify and isolate healthcare clearinghouse functions by moving the computing/server environment onto a seperate network with some type of firewall inserted between it and the rest of the production computing network. Ideally put some type of IPS/IDS in place (network security device) to monitor for malware or other types of attacks.

6. Security Incident Procedures (45 CFR 164.308(a)(6))

Implement policies and procedures to address security incidents.

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

A Security Incident Response Plan is designed to report, verify, contain, notify, restore service, document and provide a cost estimate. If you have an SIRP, but no reports of incidents, look at training and awareness to your workforce! There should be some reports in the past 12 months or folks are not aware what the process is.

7. Security Awareness Training (45 CFR 164.308(a)(5)(i))

Train and supervise personnel who have access to ePHI. The rule requires that organizations must train employees about the security policies and procedures and enforce appropriate sanctions against those individuals who do not comply.

Conduct training annually and ensure HIPAA Security Training at a minimum covers encryption, security incident definition, channels to report incidents, email phishing and to report any unencrypted ePHI to the HIPAA Security Officer.

Provide periodic reminders such as emails, newsletters, staff meetings, posters and bulletin board postings are all helpful in keeping people aware.

People are the biggest resource in helping identify security incidents and reporting.

8. Contingency Plan (45 CFR 164.308(a)(7)(i))

Establish a data back and restoration plan for all servers and databases – don’t forget to include periodic testing (at least quarterly) of data restores to verify backup integrity.

Contingency planning may be as simple as developing a “System Downtime Packet” which includes paper-sheets stapled forming a health care packet. Include patient Demographic forms, SOAP note forms, common ICD codes, 1blank prescription sheet, medical/Doctor’s Note and any other forms commonly used through the process. Enter data when the EHR system becomes available again.

Disaster Recovery Planning includes an updated ePHI asset sheet with server criticality and restoration priority (no more than 4 levels please) in the event of restoration.

Periodically test the above scenarios to verify they would meet the emergency needs of your organization.

9. Protection from Malicious Software (45 CFR 164.308(a)(5)(ii)(B))

Ensure there are multiple layers protecting your computers from malware. Ransomware is becoming a huge problem when users click on an email link after they were fooled to open it, they just downloaded the virus that jumps to all the computers encrypting their hard drives requiring a money transfer to release the files.

Files

At a minimum include safeguards such as patch management, anti-virus, a deep-packet inspection firewall that includes a subscription service to block any suspicious activities (SonicWall/Dell and FortiGate have great solutions for small to medium sized organizations) and training to keep users aware of deceptive phishing scams (and never to open email from people you don’ t know).

Through a multi-layers approach you can protect your organization from being another victim of cybercrime.

10. Evaluation

Perform a routine and periodic evaluation of how well the security policies and procedures fall under the umbrella of the Security Rule.

In a world where private information is becoming less and less private, organizations — including yours — must strive to maintain and protect the health information of each individual. By following the required steps of the Administrative Safeguards, you can feel assured that you are following HIPAA standards and are keeping yourself, those you work with and your patients safe.

HIPAA One® provides a comprehensive coverage of all Physical, Administrative, Technical and Organizational (Vendor Management and Business Associates) safeguards and empowers individuals with or without security experience to test their own preparedness and benchmarking their HIPAA Security efforts. Email us at info@hipaaone.com, or visit www.hipaaone.com today for more information.

Check back on our blog soon for part two of this series where we will explain the HIPAA Security Rule’s Physical Safeguards.

7 Ways Employees Can Help Prevent HIPAA Violations

Prevent HIPAA Violations

There are several qualities of working in healthcare that are not dissimilar from other careers in other industries. You need to come into work on time, work hard while clocked in, get along with the other staff members, be a good representative of your company and so on. But there’s one aspect of working in healthcare that other industries don’t need to worry about: violating the HIPAA Privacy Rule or Security Rule.

When just one employee’s actions result in a HIPAA violation, it not only results in major consequences for that individual, it’s also jeopardizing for the entire organization. If an employee/workforce member breaks a common HIPAA violation, even in the smallest way, the entire organization faces severe penalties, involving substantial fines and having a bad reputation.

Nurses are on the frontlines of patient communication, so understanding the key ways YOU can prevent potentially disastrous violations is vital. To help you get started, here are seven ways you and all employees can help ensure HIPAA compliance.

1. Be educated and continually informed.

Image Source: COD Newsroom

Image Source: COD Newsroom

The first way to ensure staff members aren’t violating HIPAA is to educate and inform each employee on HIPAA regulations and when any changes are made or new information is released regarding those regulations. Everyone should also be told what penalties they and your workplace will face if compliancy isn’t maintained by all. Hold in-office trainings to teach employees all they need to know about HIPAA privacy and security regulations and to answer any questions they might have. You or your HIPAA privacy office can conduct these trainings, or if you use HIPAA security software, many of these programs offer training courses and seminars for your office to use. Take the necessary time to keep staff members knowledgeable on the HIPAA regulations and device standards they must follow in order to keep themselves and your organization HIPAA compliant. Education will take time, but it’s your best asset so make the time to do it.

2. Maintain possession of mobile devices.

The most common HIPAA violation today is mobile devices storing patient health information being lost or stolen. It’s the obligation of covered entities and business associates to keep their mobile devices secure and out of the wrong hands, so if an employee accidentally loses a laptop or work tablet, or leaves it unattended and it gets stolen, your business pays for that mistake. Continually remind employees to be aware of where mobile devices are at all times and to shut them down and lock them up when they’re not using them.

3. Enable encryptions and firewalls.

Image Source: Ervins Strauhmanis

Image Source: Ervins Strauhmanis

Your next defense with mobile devices is enabling encryptions, firewalls and secure user authentication on every device. There are technologies that can also remotely lock, or wipe (ie. Reset to factory defaults erasing all apps and data) using apps and software programs. This is your backup plan if a work device is lost or stolen. Again, stress the importance of maintaining possession of devices and keeping the encryptions and firewalls up-to-date and user authentication hard to crack to employees handling these devices. Accidents do happen, but sometimes employees are just cavalier, so to help your employees and yourself remain HIPAA compliant, enable these security precautions on each mobile device your business has and lends out for employee use.

4. Double check that files are correctly stored.

Image Source: Medill DC

Image Source: Medill DC

Handling paper and electronic files is a tricky business. Misfiling a patient’s paperwork in a cabinet or saving it on the wrong computer drive or network is a costly mistake. And many employees fall victim to this because they’re distracted while filing. Constantly remind employees who deal with patient files to focus on what they’re doing and double check that they properly store and save files in the right folders and drives.

5. Properly dispose of paper files.

Image Source: Sh4rp_i

Image Source: Sh4rp_i

Again, this is a human error problem. Too many of these cases have occurred because employees forgot or chose not to shred paper files before throwing them away. An employee could be having a bad day, an extremely busy day or is easily distracted by other employees, which causes them to overlook shredding papers with PHI on it. The best way to avoid this problem and keep employees from violating HIPAA is switching to an electronic filing system. If you still prefer paper files, then make sure staff members’ double and triple checks that they properly dispose of any and all paper files.

6. Keep anything with patient information out of the public’s eye.

Image Source: COD Newsroom

Image Source: COD Newsroom

A minor way your company and its staff could be in violation with HIPAA laws is having patient information in plain view to anyone who comes into your establishment. Don’t fall victim to this small but careless mistake. Keep patient folders closed, don’t have appointment calendars openly displayed in patient areas and keep your computer monitors and mobile device screens hidden from patients and visitors.

We found one Hospital displaying their patients’ XRAY (technically it was CR Scan) on a wall-mounted, big screen TV next to the Nurse’s workstation area where other patients walk by.  Tell the staff to be mindful of these things and that if they notice something to be out of place to quickly take care of it before unauthorized eyes see it. Get everyone in the habit of keeping information concealed that needs to be.

7. Use social media wisely.

Last but not least, express to employees just how crucial it is to use social media wisely. The way we communicate with each other has changed. Now, many people spend more time messaging on Facebook, sending Tweets and sharing how their day is going via a collage of pictures on Instagram. Social media usage has increased the likelihood for employees to violate HIPAA. Your safest bet to have employees and company remain HIPAA compliant is having a company rule not to post any text or pictures about what goes on in the workplace on social media or even on their personal blog. Your organization or business could be severely fined for neglectfully hiring, training and/or supervising an employee if he or she posts something sensitive, even if by accident or only shares a small tidbit of a situation that doesn’t include any names. Employees and businesses must be extremely careful when dealing with social media.

In order for your organization to remain HIPAA compliant, each employee must be HIPAA compliant. By educating, informing and training employees on what HIPAA regulations they must follow and the consequences they’ll face from being non-compliant, as well as reminding them to be smart and use common sense, employees can actually help prevent HIPAA violations from happening.

HIPAA Compliance For Dental Offices

Image Source:  Joseph Morris

Image Source: Joseph Morris

Today, most dental offices run electronically. From having patients fill out forms to checking them in to appointments to filing dental records and more, it’s all done electronically. Why? Because the advancements of technology allow dentists to run their offices more efficiently than ever before.

But since we live in such a technology driven world, where we use computers and mobile devices for nearly everything we do, dental offices are more at risk of violating HIPAA rules — a situation you don’t want to get yourself into. Violating HIPAA could result in hefty fines, a bad reputation among the dental community and even jail time. One small, overlooked mistake could cause your office to lose thousands of dollars, hours of time, numerous patients and the respect of your community and fellow dentists.

That doesn’t have to be the situation for your dental office. By knowing how HIPAA applies to dental offices and what not to overlook, your office can maintain compliancy, a steady income, its patients and its reputation as an honorable dental office.

hipaa hippo

Here’s what your dental office needs to do to ensure HIPAA compliance:

Write down a HIPAA compliance policy.

Without a plan, it’s highly unlikely what you want to happen is actually going to happen. Your plan in this case is a written HIPAA compliance policy clearly stating how your office and each staff member is going to meet HIPAA requirements to remain compliant and safeguard your ePHI. This needs to be one of the first things you do to ensure success!

Hire a HIPAA Compliance Officer.

The HIPAA Privacy Rule and HIPAA Security Rule requires someone in your organization to be given the responsibility to oversee and implement this rule. If your organization is large enough and can afford it, hire someone to be your privacy officer. If you’re a smaller dental office, the privacy officer role usually falls into the hands of the dentist or office manager. Regardless of who is given the job, be sure they’re qualified to hold this position, which includes being very organized and responsible.

Train your staff.

Most likely, your staff needs to be trained on how to fulfill their roles while not breaching HIPAA policies. The only way your office stays compliant and protected from outrageous fines is if each employee knows the guidelines and what their responsibilities are. Have your privacy officer schedule and hold team trainings. Our HIPAA compliance software systems help educate your employees if you’re not sure how to conduct trainings. After you’ve successfully trained your staff, don’t forget to have everyone sign a written agreement stating they’ve completed their HIPAA training. The bottom line for many organizations is that employee education prevents violations.

Have a written Business Associate Agreement.

When you work with business associates (people or companies you’re partnered with that work with or are exposed to ePHI systems) it’s your responsibility to make sure they properly handle this information. If one of your business associates doesn’t comply with HIPAA, then you will also face consequences for their non-compliance. Write up a detailed written Business Associate Agreement for your business associates to sign to protect your office and patients.

Protect your patients’ ePHI.

Using mobile devices makes you more vulnerable to mishaps with your patients’ private health information. Three of the top ways dental offices breach HIPAA are devices storing ePHI that are stolen or lost and unauthorized people viewing your patients’ ePHI.

Here’s how to help prevent these accidents from happening:

  • Carefully handle and securely store office mobile devices.
  • Use passcodes or a form of authentication on mobile devices.
  • Install encryptions.
  • Enable firewalls and security software.

These steps help prevent your devices and patients’ information from getting in the wrong hands or being seen by the wrong eyes; which can be employees, disgruntled ex-employees, hackers or other patients.

Perform a Security Risk Analysis.

A crucial step in maintaining HIPAA compliancy is performing a thorough Security Risk Analysis. This isn’t a one-and-done analysis. You need to regularly perform this assessment and have a corresponding risk management plan in place to fix any compliance issues or vulnerabilities you discover. You can do this on your own, but it’s advised to use a professional or HIPAA compliance software to complete this self-assessment for you. Most software will not only complete the analysis, it will also provide plans to remediate any compliance holes it finds.

After you complete your SRA, you can optionally display this accomplishment on your website so visitors are assured your organization complies with HIPAA Security for their personal and protected health information.  HIPAA One has a Seal that, when clicked, verifies the SRA is complete and current then displays a certificate of completion.

hipaa compliant certification

Inform your patients about your HIPAA privacy agreement.

Let your patients know about your HIPAA privacy policy. HIPAA requires that your patients know your policy and that they acknowledge they’ve seen and understand it. Have the policy written down and have them read, sign and date the form online before their appointment or in a paper form when they come into your office for an appointment. Patients also have the right to refuse your HIPAA privacy policy, so if they do, make note of it to keep on file. Also on this form, include a “Right To Revoke” clause. Your patients reserve the right to not disclose any of their private dental information to specific parties, and if you don’t provide this option on your forms, they’re invalid and you’re breaching HIPAA if you release their information to another party.

Don’t take any unnecessary risks when it comes to HIPAA compliance. Know what your dental office needs to do and shouldn’t do, so you stay HIPAA complaint and away from the chaos of lawsuits and fines.

HIPAA Automation: Manage Multiple Locations and ePHI Systems With Ease

Image Source:  The National Guard

Image Source: The National Guard

Managing an organization is hard work. And when you manage more than one location with access to ePHI (or as a Business Associate), it becomes an even harder task. Your workload and responsibilities are doubled, tripled, even quadrupled.

One responsibility on your laundry list of duties involves ensuring each your locations adhere to the HIPAA privacy and security rules to remain compliant. Remaining HIPAA compliant can seem like the most overwhelming task, and the requirements to maintain compliancy can seem tedious and time-consuming. But in order to save your organization money and time, you can’t overlook any of HIPAA’s requirements. You must ensure each of the clinics you manage follow the mandated requirements.

With the right tool, you can get rid of your fears and anguishes when it comes to HIPAA compliance. When you choose automated HIPAA compliance software, you’ll be managing your organizations, remote locations and their compliancy with ease.

One Software, Multiple Locations and ePHI Systems

When you’re looking for compliance software to manage more than one location, there are certain qualities you should require. The online software you choose should be automated, easy to understand and use, and completely cost-effective.

Here are 6 essential points of automation for compliance software:

  • Threat identification
  • Threat agents
  • Vulnerability analysis
  • Risk calculations
  • Remediation plans
  • Proper reporting and documentation preservation

For the sake of your organization, you cannot accept anything less when it comes to ensuring compliance. A security breach at one clinic is devastating enough, but compound that among multiple locations and/or headquarters the results are crippling.

riskassesmentsteps
The amount of time you spend with a typical security risk analysis is nothing compared to the time spent handling a security breach. Automating 6 of the 9 steps makes your time spent on a security risk analysis even shorter. Our analysis also makes sure your clinics are prepared when the time comes for a HIPAA audit. So, you can cross stressing over that audit off your to-do list.

Multiplying Your Workforce

While automation is magical in the sense that it gives you more time to spend at your remote locations, it doesn’t give you HIPAA knowledge superpowers. That’s why it’s even more important to have HIPAA experts in your corner. When you choose HIPAA One®, you also receive guidance for self-assessment, remote or full onsite consulting from our knowledgeable professionals. When any of your locations are in need, they will come onsite and provide any consulting, guidance or training necessary when it comes to HIPAA compliance. Instead of wasting hours trying to learn all this on your own and then try and explain it to your office staff in meetings or trainings, our professionals will take care of the hassle for you.

Adding additional ePHI Systems (RIS, PACS, PM, historical EMR, portals, Medical Equipment, etc.) HIPAA One® intelligently adds a new role for that system’s Administration, and allows delegation at the beginning of the assessment to cover the related physical administrative and technical safeguards for that system.  This allows distribution of the workload by getting the questions into the right hands up-front, then allowing the software to do the heavy-lifting in preparation for Control Recommendations and risk-remediation.

The Bottom Line

What once was a weeklong or even longer process — and then double or triple that in a multiple-location and multi-ePHI system situation — is now cut significantly to just hours per clinic.

The automated and all-encompassing HIPAA One software is the tool you need to help you manage your main headquarters, regional vs. remote locations and multi-ePHI Systems with ease. And to ensure you and your staff members spend your time and focus on your clients and patients, the ones who should be receiving it.

Employee Education Prevents Violations

Group Of Happy Doctors

When you work for or work with a healthcare entity, you have to be HIPAA compliant. Non-compliance results in stress, operational inefficiencies, increased business risk such as civil and criminal charges, including costly fines and jail time, and embarrassment for the person and entity involved in the violation.

One way you can help prevent against HIPAA violations is educating your staff about HIPAA security and privacy regulations and the requirements to be HIPAA compliant. Educating and training your staff is how you’ll keep your sensitive physical, software and network information private and protected.

Patients’ private health information is stored on networks, but it’s also carried and transmitted through various devices. Here are devices health entities use to store, access and share ePHI:

  • Desktop computers
  • Laptops
  • Tablets
  • Smart phones
  • USB thumb drives

These devices are extremely useful to health care entities, but the more useful something is to an entity, the greater risk it also tends to be. As you educate and inform your staff on your device standards and policies to remain HIPAA compliant, you’ll lower your risks.

How should you educate and inform your staff?

Hold Trainings

Training is necessary with every company. Staff members need to know what to do and how to do it correctly. This is especially important in the health care industry because messing up means violating HIPAA, and violating HIPAA results in substantial repercussions.

Determining your training approach is up to you and what you think will work best for your entity. Consider the best ways your staff learns and what training method will be the most valuable and provide hands-on experience for your staff. You want them to walk away with a knowledgeable understanding they’ll remember, not an information overload they’ll forget by the end of the day.

While most procedures you cover will apply to each staff member, contemplate having different training levels because certain ones are unique to certain positions. Here are trainings and processes to implement with your staff:

  • General HIPAA and device training for new hires as part of their orientation
  • Annual HIPAA and device trainings for each staff member
  • Have a process that evaluates how effective trainings are
  • Set up a process that verifies your staff members have completed their trainings before they can access PHI
  • Enforce a discipline policy if any staff member fails to comply with your HIPAA device trainings and policies

Use HIPAA Security Software

Another way to keep your staff educated is implementing HIPAA security software. Besides offering simplified, user-friendly online procedures to make sure your network and processes are compliant, many of these software programs also offer HIPAA security and privacy training courses and/or seminars for you and your staff members. This compliance software identifies any holes in your network, analyzes your risk level, informs your staff on how to safeguard ePHI and trains them on what it means and what’s required to be HIPAA compliant. HIPAA security software is an essential tool to help educate your staff and prevent HIPAA violations in regards to the devices you use to store and transmit patient information.

Notify Employees When Changes Are Made

The final way to keep your staff informed is notifying them when changes are made or new information is released regarding HIPAA security and privacy rules, as well as your entity’s HIPPA device policies. You need a way to send out this information so it reaches all of your employees and does so in a timely manner. Here are some delivery options:

  • Company email
  • Company newsletter
  • Fliers
  • Handouts
  • Posters
  • Special meetings or trainings

What do you educate and inform your staff on?

Your staff needs to know how they can safeguard the ePHI they handle against threats to its integrity, security and unauthorized use. They need to know how to best protect themselves, the health care entity they work for and, most importantly, the patients and their information. Below are the topics your staff should be educated and informed on:

  • How to install and enable encryption
  • Avoid opening emais from people you don’t know
  • Procedures to detect and guard against malicious software
  • Locking and shutting down devices when not in use
  • Implementing passwords, passcodes or other forms of user authentication to allow access to devices
  • Ways to prevent the loss or theft of devices
  • How to install and activate remote wiping or disabling if device is lost or stolen
  • When and how it’s okay to send or receive ePHI
  • When and how device audits and inventories take place

Violating HIPAA is a situation you don’t want to put yourself in. Take the time to educate and inform your staff on the regulations and device standards they must follow to remain HIPAA compliant. Education is your best privacy asset, so take advantage of it and steer clear of those hefty HIPAA violations.

HIPAA Compliance Saves Money AND Time

Save Time and Money with HIPAACompliance

Image Source: Tax Credit

When you’re in the healthcare industry, you have to comply with HIPAA privacy and security rules. And although the government’s rules concerning HIPAA compliance continue to change and the process of becoming HIPAA compliant appears complicated and tedious, it’s imperative that you adhere to each of the HIPAA compliance requirements.

Why is it so imperative that you take the steps necessary to be completely HIPAA complaint? For starters, compliance does two big things for you that everyone in the healthcare industry (and in every industry for that matter) wants — it saves you money and saves you time. What better reasons do you need?

 

Below you can find out just how HIPAA compliance saves you money and time, which in turn makes your job a little easier and helps take some of the stress out of your life.

How HIPPA Compliance Saves You Money

While you have to first invest money to become HIPAA complaint, the upfront investment costs are way less than the hundreds of thousands to millions of dollars you could pay in penalties for non-compliance and your patients will pay in out-of-pocket costs.

HIPAA Violations and Enforcement penalties

Photo from the American Medical Association

population of medical identity theft for hipaaonepopulation of medical identity theft for hipaaone - 2

“…36 percent did pay an average of $18,660, as shown in Table 1b (above). These

costs are: (1) identity protection, credit reporting and legal counsel; (2) medical services and

medications because of lapse in healthcare coverage; (3) reimbursements to healthcare

   providers to pay for services to imposters. Based on our extrapolation, we estimate the total

        outof-pocket costs incurred by medical identity theft victims in the United States at $12.3 billion.”

**Tables and Reference from the Ponemon Institute 2013 Survey on Medical Identity Theft Report

 

When you conduct your own security risk analysis, which most types of HIPAA compliance software let you do, you’re able to find and manage any security risks in your system so you can anticipate future issues and create action plans to prevent those issues from happening before your system is compromised. Knowing of and preventing security risks saves you the major costs associated with security breaches, i.e. fines for not being HIPAA compliant and paying someone to fix the holes and issues within your network.

HIPAA compliance also saves you money when it comes time for your organization’s HIPAA audit. Government audits can be a scary process to go through because when you don’t meet their standards, high costs are involved on your part. But when you’re prepared for an audit, there’s nothing to fear. HIPAA compliance software lets you conduct your own mock-audit so you can discover how compliant your organization is, and it usually provides the needed documentation for an audit.

Using compliance software also saves you money on labor costs because it’s a single solution that does everything for you, and does so in a shorter amount of time than manually doing everything on your own or amongst a group of employees. With this cost-effective solution, you no longer have to pay employees overtime pay for the countless hours they would spend because with this software less people and time are needed to ensure you’re HIPAA complaint.

How HIPAA Compliance Saves You Time

Like was mentioned above, HIPAA compliance saves you money with security issues and HIPAA audits, but it also saves you time in those areas. Performing a security analysis with your compliance software allows you to find any holes in your network or other potential security problems within your system, so you can prevent security breaches from ever happening. The time spent with a security analysis is just a small fraction to the time, stress and money you’d spend dealing with the hassles of a security breach. An analysis also makes sure you’re ready for a HIPAA audit so you don’t have to worry about failing the audit and having to go back and fix any problems found during an audit. Again, taking care of potential problems upfront is much better than trying to deal with problems after the fact.

HIPAA compliance software is easy to use and the all-encompassing tool. When you implement the right compliance software, it majorly cuts down the process of becoming HIPAA complaint. The process goes from taking days or weeks, to only a few hours or up to a day to complete. When you spend less time dealing with security issues and making sure your organization is HIPAA compliant, you can focus your time on your patients, employees and the other important areas within your organization that need your attention.

You might only see giant dollar signs and a mess of wordy rules that constantly change when you think about becoming HIPAA complaint. But what you should see and understand is making that upfront investment of your money, resources and time to be HIPAA compliant is the better choice. HIPAA compliance saves you a great amount of money and time compared to the costs of recovering from HIPAA violations.

HIPAA Security and Audit Survival Guide

2870448198_39a44959fa_z

Image source: Purple Slog

 

 

 

 

 

 

 

In 2012, the Department of Health and Human Services Office for Civil Rights (OCR) conducted on-site pilot audits during its first round of their HIPAA compliance audit program. A consulting firm OCR hired performed 115 pilot audits during that year. Starting the end of this year or beginning of 2015, OCR is resuming their HIPAA compliance audit program with its second round of audits — performed by OCR staff this time — that will address some red flags OCR found with security issues during 2012 (Slide 2).

What You’ll Be Audited On

This time around, OCR’s random audit of 350 covered entities and 50 business associates will assess the selected organizations’ compliance with the HIPAA privacy, security and breach notification rules. If you’re a covered entity, OCR’s focus is going to be on risk analysis and risk management (security rule part), the material and timeliness of breach notifications (the breach notification rule part) and the notification of privacy practices updates to changes in the HIPAA Omnibus Rule and access to rights (the privacy rule part). If you’re a business associate, their focus is on security risk analysis and risk management and breach reporting to your covered entities.

A desk audit involves you submitting certain content and documentation demonstrating the scope and timeliness of your efforts to comply with HIPAA and its rules. Only send the information asked for and send it on time! Auditors won’t ask you for clarifications or for more information. They’re only going to work with what they have and make their compliance decision off that. If you don’t respond with a submission, you’ll most likely receive a more formal review from the OCR.

When resources are available, OCR will conduct more comprehensive on-site audits (Slide 6), more focused on privacy, in 2015 and likely into part of 2016.

How You’ll Be Notified

OCR is sending close to 1,000 address verification letters (Slide 3), and then from this list, they’re sending a formal audit notification letter to the selected entities. You won’t be sent an email saying you’re being audited, so don’t be tricked by scammers who might send those. If you’re a business associate, OCR will select you from among those of you acknowledged by your covered entities.

How To Ensure You’re Prepared

Your organization’s focus should be protecting the privacy and security of PHI and reducing the probability of a breach. Passing an OCR audit should be the result of an effective compliance culture, not your aim on goal. Here are things you can do to ensure you’re prepared for HIPAA compliance, and in turn, are ready for an audit:

  • Document your security, privacy and breach policies and review and update those policies periodically.
  • Regularly perform a security risk analysis to find any vulnerable areas and create an action plan to fix these possible vulnerable areas.
  • Update your risk analysis and risk management plans if they haven’t been updated in 2+ years.
  • Keep an organized archive of the business associates affiliated with your organization. Update your agreements with them when changes are made.
  • Train your staff so they understand the importance of maintaining a culture of HIPAA compliance and know the required steps to take to protect the PHI your organization handles.

Why is OCR cracking down with their audits? According to David Holtzman, a former senior advisor at OCR, “the healthcare industry is a generation behind banking in safeguarding information.” In 2013, the healthcare industry saw a 138% increase in the exposure of sensitive records, as well as a 20% increase with medical identification theft (Slide 8).

No one looks forward to an audit. Audits are time-consuming and can be uncomfortable to endure. But no one wants to experience a security breach either, and the effects of a breach are much worse to endure than an audit. If you’re already HIPAA compliant, then you’re already prepared to survive an OCR audit.

Become HIPAA Compliant In A Flash!

With government rules constantly changing in regards to HIPAA compliance, making sure your office is HIPAA compliant can seem like the most complicated, time-consuming task. But you know it’s a task you must complete so your office avoids the severe penalties resulting from a privacy or security breach.

Becoming HIPAA compliant doesn’t have to be a stressful situation though. With the right tools and resources, you can become HIPAA compliant in no time, making it an easier, less strenuous process for you.

Note on starting a real compliance effort: the first year of any compliance program will be an investment. Take comfort in knowing the investment is heaviest in the first year, with a diminishing and stable investment over time. The following graph illustrates this concept:

Security and Compliance Investment

Use these tools and become HIPAA compliant in a flash!

HIPAA One® Compliance Software

HIPAA One is one of the most affordable, easy-to-use HIPAA compliance software solutions out on the market. It was designed to be simple, automated and the most comprehensive software in the healthcare industry.

Using HIPAA One’s web-based platform, you can perform a security risk analysis and a compliance gap assessment on your own, or you can opt for an upgrade to receive onsite help from their qualified professionals. This compliance software allows you to quickly find any vulnerabilities or gaps in compliance and formulate action plans to rectify them, saving you time and resources so your time can be better spent serving your patients.

In a nutshell, here’s why HIPAA One is a valuable compliance tool:

  • Affordable
  • Easy to understand and use
  • Saves time
  • Automates reporting and documentation
  • Allows you to track your compliance process
  • Ensures proper documentation for audits
  • Protects ePHI
  • Provides a HIPAA security and compliance checklists
  • Compliant with Meaningful Use Stage 1 and 2

Security Risk Assessment Tool

The SRA Tool was developed by the ONC, in collaboration with the OCR and OGC, as a means to help health providers and professionals when they perform a risk assessment of their office. You can download and run this informational guide on various devices, or you can receive a paper-based version if that’s what you prefer.

Once downloaded, the SRA Tool takes you through every HIPAA requirement and presents you with yes or no questions about your office’s activities. This HIPAA security risk assessment tool isn’t required nor does it guarantee HIPAA compliance. It’s purpose is to be an informational tool helping you assess where your office stands with compliance.

Here are some more benefits of the SRA Tool:

  • Includes resources with each question
  • Lets you document your answers, comments and risk correction plans into the tool
  • Your data doesn’t leave the tool
  • Allows you to pause and see your results during any part of the risk assessment

AIS Health Website

Atlantic Information Services, Inc. is a publishing and information company that develops news, data, strategic information and products for those in the healthcare industry. Their products include websites, webinars, newsletters, books, looseleaf services, databases, directories and strategic reports.

On the AIS Health website, there is a very handy, informative compliance tab. This section is a great go-to resource that provides useful tools, verified tactics and timely news for those wanting to better understand all they need to know about becoming HIPAA compliant.

Here’s why you should bookmark the AIS Health website:

  • One-stop educational compliance resource
  • MarketPlace tab lists their products by type and subject matter
  • Keeps you up to date on healthcare and compliance news
  • Brings insightful healthcare industry managers and advisers right into your office through their webinars 

Non-compliance is not an option. To protect yourself and your office from costly consequences, use these tools and resources to quickly and efficiently become HIPAA compliant.

Please contact us at info@hipaaone.com, or via phone at 801-770-1199 should you have any questions or comments.

5 Most Common HIPAA Privacy Violations

The HIPAA Privacy Rule was put in place to provide rights to access and amend our protected health information, appropriate disclosers and help reduce fraud, waste and abuse. If your facility and its network aren’t HIPAA compliant, the costs may be significantly higher than taking action. Penalties could result in millions of dollars in fines and could even include some jail time (HITECH failure to report a breach of > 500 individuals to HHS).

Image Source: Yuri Samoilov

Image Source: Yuri Samoilov

That’s one risk you just can’t afford to take.

Take a look at these 5 most common HIPAA privacy violations and learn what preventive measures you can take to avoid these violations and their severe penalties.

1. Losing Devices

The biggest problem today is devices with stored patient health information, i.e. desktop computers, laptops, tablets and smartphones, being stolen or lost. This includes work devices and your own personal devices if you use them to access this information. Mobile devices are the most vulnerable to theft and misplacement because of their smaller size and portability.

Solution: Keep a watchful eye on your devices and keep them locked up when you’re not around. Better secure your files on these devices with encryptions and use a cloud hosting solution for remote access. Encryption won’t reduce the cost of the device or time to rebuild/recover the user’s system, but can alleviate the need to notify HHS of a breach > 500 individuals.

2. Getting Hacked

 Data from several healthcare network servers have been hacked into over the last few years. These servers have PHI for hundreds to millions of patients, so when these skilled hackers — who are only getting better at what they do — get their hands on them, they leak this information out or sell it to the highest bidder. Some of this information includes Social Security numbers, birth dates, addresses and insurance information.

Solution: Take necessary security measures, like encryption and deep-packet inspection firewalls that can block phishing or other malware attacks, to safeguard PHI.

3. Employees Dishonestly Accessing Files

Unfortunately you can’t trust everyone. An all-too-common HIPAA violation is employees accessing files they’re not supposed to. They do this out of curiosity, spite or because a friend or relative asked them to. No matter their excuse, it’s wrong, but it’s still something that continues to happen.

This problem is amplified when accounts are shared between Physicians and their underlings. Physician staff may use the Physician’s System user account assuming they will not be held accountable for these activities (see Huffington Post article on Kim Kardashian’s fall-out from this type of behavior).

Solution: Policies and procedures with annual HIPAA Security training enforcing unique User IDs, Implement passwords, passcodes, user ID codes and/or clearance levels to discourage employees from accessing patient files they’re not authorized to see.

4. Improper Filing and Disposing of Documents

When using a paper filing system, it’s highly likely there will be some human error resulting in an employee incorrectly filing a patient’s record or accidentally getting rid of a document without first shredding it. Sometimes people just have a bad day or get distracted. Mistakes happen, but they happen more so with this system.

Solution: Establish Policies and Procedures to ensure any ePHI or PII on paper is locked at night, or stored in secured disposal bins prior to shredding. Switch over to an electronic filing system or make sure everyone double and triple checks they correctly file and dispose of documents.

5. Releasing Patient Information After the Authorization Period Expires

There are expiration dates on HIPAA authorization forms. Too many times someone hasn’t paid close enough attention to that date when a request for a release of information comes through and ended up sending out that information even though they shouldn’t have. If a request comes in and it’s past the expiration date, you must complete a new HIPAA authorization form.

Solution: Verify the expiration dates for HIPAA authorizations before releasing any information. Complete a new form if needed. See HIPAA Reference: §164.508(a)(1)-(3), §164.508(b)(6), §164.508(c)(1), §164.508(c)(2), §164.530(j)

Another preventive method is performing a HIPAA self-assessment. A self-assessment shows any high-risk vulnerabilities or gaps in compliance your facility and network have, so you then can create an action plan to remediate those issues.

So now you know the most common HIPAA privacy violations, and you know how to prevent them so you steer clear of hefty penalties, keep your facility and network HIPAA compliant and protect patient information.

For more information about HIPAA Privacy compliance and risk assessment, please contact info@hipaaone.com or by phone at 801-770-1199.

Think PCI Can Replace HIPAA? 6 Points That Will Change Your Mind

Outline:

  1. Health records are to be secured, exchanged and portable ,while credit card numbers are to be secured.
  2. Covered entities and their business associates (receiving any government reimbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.
  3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.
  4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.
  5. Meaningful Use helps address the most serious health care threats to electronic personal health information: theft, unauthorized access and loss.
  6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

Steven Marco (smarco@moderncompliance.com) is the founder & CEO of Modern Compliance Solutions & HIPAA One® in Lindon, UT.

This is one of the questions that comes to mind when reading recent breaches in businesses that are PCI-compliant and HIPAA covered entities. According to a recent Identity Theft Resource Center data breach report for 2013, there were approximately 47,260,237 breaches for the business category and 4,659,965 breaches for the medical/healthcare category. Assuming the business category processes credit cards and the medical/healthcare category maintains protected health information, we have a case of PCI-compliant firms vs. organizations addressing HIPAA security compliance.

data breach chart

1. Health records are to be secured, exchanged and portable while credit card numbers are to be secured.

Health care covered entities (CE) and their business associates (BA) handle personal/protected health information (PHI) as part of an initiative to have a portable, secured and available electronic health record (EHR). PHI must be protected from unauthorized disclosure, yet be available on demand by the individual and shared (in some cases with and without the individual’s authorization such as treatment, payment and healthcare operations) appropriately but also restricted upon the individual’s request.

If hospitals and clinics adopt electronic PHI and shred their paper records, vast amounts of uniquely identifiable health records accumulate. According to the HIPAA One® security risk analysis database, even small clinics can acquire more than 10,000 patient records within 3 years.

The focus of the electronic health record revolution has traditionally been changing healthcare workflows using computers instead of paper charts. Now, information is freely exchanged between clinics, health plans, clearinghouses and health exchanges. Security has not been a focus. The top threat facing healthcare is loss and theft of ePHI, which is the No. 1 cause of breaches over 500 (according to the OCR’s current breach data reports as of July 2014).

Much like the example above referencing the number of patient records, aggregated data stemming from PHI can be used for valuable research improving health and raising ePHI security awareness.

If business and commerce — the exchange of goods and services for monetary enumeration — had adopted technology earlier, it would have more personal identifiable information (PII). The use of credit cards is globally adopted as a quick way to receive money electronically. As more merchants (businesses that accept credit cards) adopt e-commerce websites and connect their payment- processing systems (i.e. processors) to the Internet with growing consumer comfort with online purchasing, fraudsters are capitalizing on poorly protected systems to steal payment data, making payment care fraud more prevalent than ever before.

Unlike aggregated, de-identified PHI data, the approach to secure credit card numbers is to limit storage of credit card elements and make this information unavailable except in the event of a payment transaction.

source-payment

Source: Payment Card Industry (PCI) Data Security Standard, November 2013

2. Covered entities and their business associates (receiving any government imbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.

Covered entities (i.e. hospitals, clinics, doctors, health plans and healthcare clearinghouses that use ePHI) and business associates (i.e. vendors providing services to covered entities that access [even incidentally]), as of September 13, 2013, store, modify or transmit ePHI under the enforcement jurisdiction of Health and Human Services.

In summary, any organization that receives reimbursements from Centers for Medicaid and Medicare Services is a covered entity. And any vendor that provides services to covered entities are business associates. Accountants, legal counsel and consultants are examples of groups that may encounter PHI while working with covered entities and fall into the business associate category.

To help define who is covered under HIPAA, guidance from CMS provides charts to help define most scenarios and to determine qualification, per the below image:

covered entity charts

Source: CMS Covered Entity Charts

Fines under HIPAA typically come in two forms: the Office of Civil Rights (OCR — the enforcement division of CMS) fines through self-reported breaches or through HIPAA violations found as a result of a patient complaint registered on the HHS website. The OCR, under the HITECH Act, may use proceeds from fines (called Civil Money Penalties – or CMPs) to fund further enforcement. OCR fines and settlements start at $50,000 and can easily exceed $1.5 million per investigation where willful neglect to comply with HIPAA is determined. Some forgiveness in terms of reduced fines is allocated for actions taken during the OCR audit, and all settlements are public domain according to the Freedom of Information Act.

Organizations that process credit cards, even a single transaction per year, must become compliant with the PCI Data Security Standard. Covered entities that process credit cards also become merchants under Payment Card Industry and must comply with the Data Security Standard, or PCI DSS.

Merchants are required to, at a minimum, provide an annual attestation of PCI compliance statement through their processor. Failure to pass all the requirements will result in monthly fines that are proportional to the volume of credit card transactions processed annually. They start at about $50 per month for small companies, and we have seen non-compliance fines in upwards of $3,000 per month for larger covered entities providing healthcare services.

PCI enforcement audits are typically triggered by self-reported breaches. Fines stemming from breach investigations are not typically applied to merchants but are applied for other non-compliance factors. See the PCI Standard website for a more detailed guide.

3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.

The PCI Security Standards Council has released an updated standard, called v. 3.0, to the PCI DSS requirements, which emphasizes the need for in-house vulnerability assessments, adds flexibility to password requirements and highlights the growing importance of provider compliance, as well as many other notable changes.

PCI was pioneered in the late 1990s, as Visa became the first credit card company to develop security standards for merchants conducting online transactions. The need stemmed from vast amounts of credit card fraud, which would need to be paid for by the credit card companies.

According to SearchSecurity, Visa and MasterCard reported credit card fraud losses totaling $750 million between 1988 and 1998.

Per the PCI website, “The major credit card issuers created PCI (Payment Card Industry) compliance standards to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This set of requirements is called the Payment Card Industry Data Security Standard (PCI DSS). All merchants (any entity that accepts payment cards from American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services) must comply with these standards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards. The payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

The Payment Card Industry Security Standards Council (PCI SSC) manages the PCI security standards.”

HIPAA was formed because of the following reasons:

  1. Growing numbers of uninsured
  2. Lack of rights for patients to obtain,review,amend and correct(if needed) their own health information (imagine mistakenly having an STD in your medical history entered by someone’s mistake)
  3. Rise of the Internet threatened privacy and confidentially
  1. Medical information could be used against individuals for non-medical reasons
  2. Healthcare dollars lost to fraud and waste
  3. Genetic information becoming available
  4. Different standards for medical record format sand PHI

It is also important to note that HIPAA has evolved and developed in many waves over the past 18 years to address the above concerns and is still very much a work in progress.

In terms of our ePHI data, there are 18+ elements that identify an individual which can be stored, shared and must be secured. Per 45 CFR 164.514 of the HIPAA Privacy Rule, they are:

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual:

(A) Names;

(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses; (G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section

4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.

We don’t want to jump in too deep in this area, as compliance and security are subjective topics that need to stay relevant to the size and complexity of each organization.

HIPAA Compliance

For compliance, follow the Office for Civil Rights (OCR) as they are responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.). For security, follow the National Institute of Standards and Technology (NIST) Special Publications. The OCR suggests methodology in their guidance materials is the NIST SP800-30.

Checklists that have workflows attached to each item are available in the form of spreadsheets, the OCR’s “SRAT” tool and, for more advanced collaboration, web-based solutions.

Based on our observations of the OCR, we have found, in summary, they look for the following in their audits:

  1. (Easy*)Performance of these checklists covering the 78 HIPAA Security Citations and provide the 9 steps identified in conducting a risk analysis in NIST SP800-30.
  2. (Difficult*)Ongoing updates to the results of the risk analysis conclusions (i.e. what risks were found, who is going to do what, by when to address the risk found) and risks results (i.e. tracking what activities have been performed since the risk analysis was performed)

*It is easier to identify HIPAA gaps in compliance and risk items to the organization. It is more difficult for organizations to react to the gaps and risks found as this requires resources, changes in process and increased administrative, technical and physical safeguards.

HIPAA Security

Like any other security assessment (gaps identified against an industry guidance) and risk analysis (calculating risk for the organization for any said gaps), security encompasses authorization (who is granted authorized access to

what data and reducing unauthorized access), integrity (timely and complete data), and availability (ability to restore damaged or lost ePHI and ability to continue operations during emergency scenarios).

To address common vulnerabilities and exploits (CVE), we recommend all security risk analysis include, as a base-requirement, the performance of an automated vulnerability analysis scan 164.308(a)(1)(ii)(A) from the Internet against any of the organization’s Internet-accessible systems.

The next level of this type of effort would include internal vulnerability scanning, which is like the external vulnerability scan but against all internal computers, servers and systems. We find most environments are like M&M candies — hard on the outside, but soft and easy to melt on the inside.

  1. a)  ePHI discovery and mapping (what databases, purpose and who is responsible)
  2. b)  Firewall configuration review (ensure only minimum ports are open, see if IPS/IDS is appropriate to detect malicious software communicating to the Internet from breached systems)
  3. c)  Penetration testing of all Internet-facing applications (especially if software is developed in-house)
  4. d)  Ethical hacking (such as testing various ways to gain administrative access to systems and firewalls)
  5. e)  Ongoing remediation consulting (having an external firm remind assignees of tasks to deadlines and update results documentation for potential audit response)

5. Meaningful Use helps address the most serious healthcare threats to electronic personal health information: theft, unauthorized access and loss.

The healthcare industry stores patient information for the treatment, payment and healthcare operations of medicine. This industry has historically been slow to adopt technology and computer systems. As such, the migration of our protected health information (PHI) from paper to electronic (ePHI) has been largely fueled by the Meaningful Use (MU) incentive program. To qualify for these MU funds, covered entities must adopt a certified electronic health record technology (CEHRT), or as the industry calls it, an “EMR program”, and use it in a meaningful way (e.g. complete demographics, allergy and prescription drug checks, make patient visits available to the patients, etc.).

Stage 1 of Meaningful Use was extended in December 2014, and stage 2 is being adopted for continued incentive payments. Part of the increased security measures for stage 2 includes the following CEHRT/EMR software features: additional audit logging capabilities (to combat unauthorized access), mandatory encryption/no temporary files being written that may contain ePHI and patient amendment tracking.

6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

Dell SecureWorks recently uncovered numerous underground marketplaces where hackers are selling information packages that include bank account numbers and logins, social security numbers, health information and other PII. In the underground world, these electronic packages put together for identity theft and fraud are referred to as “fullz”. When “fullz” are sold along with counterfeit or custom manufactured physical documents relating to identity data, the packages are called “kitz”.

Below are the average fees for these packages:

“Kitz” — $1,200 – $1,300, which includes PII and faked papers

“Fullz” — $500, which includes PII faked documents

There are additional fees for health insurance credentials and U.S. credit cards with CVV codes.

Health insurance credentials cost $20 each, while credit cards are only $1 – $2 each. This tells us that people are willing to pay more for your health insurance information than for your credit card information — about 10-20 times more. Therefore, your health information is way more valuable than your credit card information, and it’s extremely important that your health information is kept safe and secure from hackers.

So what is the motivation of enforcing PCI and HIPAA? In the case of PCI – it is clearly the credit card companies suffering financial loss from fraud. In the case of HIPAA – the motivation is to ensure our rights to protect and have our health information secured, reduce waste and hold covered entities, as well as their business associates, accountable for providing basic security, privacy and breach notification requirements.

At the end of the day, after conducting thousands of risk analysis and security projects, a new question pops up from this discussion, “If security and compliance are too difficult for organizations, then why does it seem so easy for hackers to get into their systems?”