Cybersecurity is extremely important for the health care industry because cybercriminals have realized that the health care industry is an easy target with a big payoff. Hundreds of million patient records have already been breached and continue to be breached, ransomware has paralyzed many health care organizations, and business email compromise attacks continue to victimize small/mid-size medical practices, hospitals, and the organizations that support them.
A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information.
When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections)
The Office of Civil Rights is the government body that issues monetary fines and corrective action for HIPAA violation. Below are common HIPAA violations and examples of recent cases:
If you are a doctor or a business associate you are more than concerned about how serious is a HIPAA violation. On this FAQ we will focus on the details of how serious is a HIPAA violation. If you are a health care provider or business associate then you are bound by HIPAA law. Being bound by HIPAA forces your organization to become HIPAA compliant. Violations can be reported in the following way; reported by an employee or patient, breach, and an OCR audit. The following fines are outlined by the HHS.
To learn more about becoming compliant you can read about the details: 8 ways to protect your practice from fines
Unfortunately, there can never be a 100% guarantee that ePHI/PHI won’t be compromised. The de-identification of data is no exception as it also runs the risk of exposing sensitive information. The simple mistake of not removing all the patient identifiable information increases the risk of exposure.