Five Steps to HITECH Preparedness
CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include:
* New requirements that widen the definition of what Personal Health Information (PHI) information must be protected and extend accountability from healthcare providers to their business associates;
* Lower thresholds, shorter timelines, and stronger methods for data breach victim notification;
* Effective immediately, increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million;
* More aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates.
No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.
HITECH Compliance Beyond Prevention, Security Beyond IT
Organizations often think first of IT security measures to protect personal data, but we have found through working with healthcare organizations that most data breaches are linked to human error or process failure, rather than technology--a desktop computer with PHI was stolen, a data backup tape lost in transit, a web update wasn't thoroughly tested and left access open.
In fact, a recent study by PriceWaterhouseCoopers, CSO Magazine and CIO Magazine (The 2008 Global State of Information Security Study) found that only 5% of data breaches are caused by malicious cyber-attacks.
These incidents didn't result from lack of HIPAA compliance but rather from mistakenly thinking that compliance measures that had been taken were sufficient to prevent a data breach incident.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
privacy
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
