Cybersecurity and HIPAA Compliance
The pandemic has undeniably pummelled the world in ways no one ever imagined. One group, however, brilliantly turned this tragedy into a golden opportunity: cyber criminals. Like many other sectors, the healthcare sector was not spared from these unscrupulous hackers. As compared to 2019, a 55% spike in healthcare data breaches was reported in 2020, with an increase of 10% in cost per breach. For this reason, it is imperative for companies in the healthcare industry to be compliant with the Health Insurance Portability and Accountability Act (HIPAA).
What is HIPAA?
The department of Health and Human Services (HHS) rolled out HIPAA in 1996 to outline the lawful use and disclosure of protected health information (PHI), including PHI that is electronically assessed, stored, or transmitted. HIPAA ensures that sensitive patient data. like names, addresses, contact details, social security numbers, financial information, health histories, etc., is handled with proper security and stays protected.
Since its inception 25 years ago, HIPAA has undergone many amendments as technologies advance and the severity of data breaches increase. If you are a company that deals with any kind of PHI, you should adhere to the following standards to be HIPAA compliant:
- Conduct annual audits to assess administrative, technical, and physical gaps in HIPAA compliance standards
- Implement a remediation plan to tackle any gaps identified
- Execute policies and procedures as per HIPAA guidelines
- Conduct annual staff training on HIPAA policies and procedures
- Maintain proper records/documents
- Execute third-party vendor agreements to ensure PHI is handled securely
- Report a data breach in accordance with HIPAA Breach Notification Rule
Penalties for on-compliance
The penalties for HIPAA non-compliance can range from $100 to $50,000 per violation. In 2017, Presence Health was fined $475,000 for failure to properly follow the Breach Notification Rule. Apart from this, there can be criminal penalties (up to 10 years in jail, depending on the severity of the breach) against an individual/organization that knowingly violates HIPAA.
Annual risk assessment
HIPAA regulations are complex, and a PHI breach can have damaging consequences. One of the best practices to ensure that you are on the right side of HIPAA is to conduct an annual risk assessment. An assessment will help your company remain compliant, while mitigating the chances of a catastrophic data breach. The assessment should include evaluation of administrative, physical, and technical safeguards, encryption protocols for emails, hardware and software that stores PHI, and proper disposal of data. There is no ‘one-size-fits-all’ risk analysis methodology, as each organization needs to tailor the approach based on their size, complexity, and capabilities.
Contact Citrin Cooperman to discuss how our experienced team can help your business expedite the process of achieving and sustaining HIPAA compliance.
Related Insights
All InsightsOur specialists are here to help.
Get in touch with a specialist in your industry today.