Think your clients’ patient data is protected? Think again. As required by the HITECH Act, the Secretary of Health and Human Services must post a list of data breaches that comprise unsecured protected health information (PHI) affecting 500 or more individuals. Currently, the department’s “wall of shame” includes 1,000 data breaches, with at least 34 occurring in the month of June alone. Implementing a HIPAA compliant hosting solution helps companies avoid potential data breaches and maintain HIPAA compliance.
Since 2009, the records of 31.7 million people have been exposed. As a result, the Office of Civil Rights (OCR) for the U.S. Department of Health and Human Services has levied severe fines against healthcare organizations who have failed to meet HIPAA compliance requirements. One high profile case involved New York-Presbyterian Hospital and Columbia University while another implicated Concentra, a subsidiary of Humana.
- New York-Presbyterian Hospital and Columbia University were fined a total of $4.8 million for a suspected breach of electronic protected health information (ePHI) impacting 6,800 individuals. The breached information included patient statuses, vital signs, medications, and laboratory results – and 10 Social Security numbers.
- Concentra Health Services agreed to pay $1,725,220 after an unencrypted laptop was stolen from one of its facilities. Although Concentra had conducted “multiple risk analyses” citing the lack of encryption on its computers and other devices, it had not finished installing encryption, leaving patient information vulnerable throughout the organization. This failure to have technical safeguards in place resulted in potential HIPAA compliance violations.
HIPAA Compliance and Unencrypted Devices
According to a recent data breach report, 46% of data breaches stem from physical theft or loss of unencrypted devices – with healthcare being the biggest offender. The surge in HIPAA compliance violations stemming from lack of security measures prompted Sue McAndrew, OCR’s deputy director of health information privacy, to issue the following statement:
“Covered entities and businesses must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”
Safeguarding the confidentiality and integrity of patient information is an essential element of HIPAA compliance. However it requires significant financial and resource investments to build the infrastructure, process and controls to meet those requirements. And in many cases, organizations unknowingly let some HIPAA compliance regulations slip through the cracks. So how can organizations determine if they are at risk for non-compliance?
HOSTING Compliance Risk Assessment™
HOSTING has formed a unique partnership with healthcare industry leader Redspin to offer the HOSTING Compliance Risk Assessment™ for HIPAA Compliance. The assessment is conducted per the HIPAA Security Rule 45 CFR 164.308(a)(1) and 45 CFR 164.308(a)(8), and meets HIPAA / HITECH compliance requirements for eligible healthcare providers also known as covered entities (CEs). Our proven, methodical approach removes any compliance risk associated with managing protected health information (PHI) in the cloud for HIPAA CEs. Our proprietary risk assessment includes:
- Gap Analysis: The analysis of your current administrative, technical and security safeguards to those required by HIPAA security rules.
- Policies & Procedures: The comparison of your internal policies and procedures to actual security and privacy controls in your current hosting environment.
- Identify & Report: The assessment of security and privacy gaps that could lead to the vulnerability of your PHI and network operations.
- Business Goals: The alignment of our findings and an organization’s business goals, culture and IT resources to ensure that we build a cloud solution that will advance business, support future growth and assure compliance for HIPAA.
- Roadmap to the Cloud: The delivery of a customized plan that optimizes current infrastructure to vastly improve your network security while achieving HIPAA compliance.
HIPAA Compliance Solutions by Industry Experts
The HOSTING compliance team is led by our in-house, dedicated Chief Information Security Officer who guides and advises our clients in regulatory compliance measures as they pertain to cloud hosting environments. Our compliance experts provide a hybrid cloud solution for EMR/EHR, medical imaging, health info exchanges, e-prescribe, billing, workflow improvements, analytics and next generation sequencing to meet an organization’s specific needs for HIPAA OCR Audits, PCI DSS, and SOX.
As a business associate, HOSTING will sign a business associate agreement (BAA) with any of our covered entity (CE) customers in the healthcare industry. Many cloud hosting providers will not, and many are likely not even aware of the legal obligation under certain circumstances to sign a BAA. Our BAAs also very closely track the provisions published by the U.S. Department of Health & Human Services (HHS).
Let HOSTING help you assess your compliance risk and avoid occupying a spot on the wall of shame. Contact us, or view our on-demand webinar, “Assessing Your Hosting Environment for HIPAA Compliance”, for more information.