08-09-13 | Blog Post
The HIPAA omnibus rule places business associates under the same scope of liability in the event of a data breach as a covered entity – for good reason. A recent HIPAA data breach was a result of a health IT vendor’s lapsed firewall that allowed patient data to be indexed by Google’s search engine. Meaning, 32,000 patient names, diagnosis, medical history and more across 48 states were made publicly searchable.
Cogent Healthcare, a hospitalist management group, contracted with M2ComSys, a medical transcription software vendor that stored electronic protected health information (ePHI) on their secure website. However, their firewall had been turned off for approximately a month. Cogent recently ended their transcription contract with the vendor after the discovery.
HIPAA requires Cogent to notify patients, media outlets and the Dept. of Health and Human Services, as the data breached was not encrypted and affected over 500 individuals. Encryption may have been a valuable security defense in this case, and is highly recommended to meet requirement §164.306 to Implement a mechanism to encrypt and decrypt electronic protected health information. Encrypting data at rest and in transit exempts companies from the HIPAA Breach Notification Rule.
Web application firewalls (WAFs) sit between your web application server and public users accessing your site and scans incoming traffic. For healthcare organizations that collect, store or transmit electronic protected health information (ePHI) and need to meet HIPAA compliance, the Technical Safeguards of the HIPAA Security Rule mandate that they must:
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (Standard 164.312(e)(1)).
As The Tennessean reports, when the final HIPAA omnibus rule officially goes into effect Sept. 23, health IT vendors will be considered business associates and could be fully prosecuted for civil and criminal penalties. Read Final HIPAA Omnibus Rule: How it Changes Cloud Computing for Healthcare for more information about how the rule affects health IT vendors.
Taking risks with health IT vendors and their level of compliance and security can backfire by resulting in penalties, fines, legal fees, credibility loss and more. Protect your healthcare organization and patient data by only contracting with business associates that will sign a business associate agreement and have undergone a HIPAA audit by a third-party to prove their understanding and implementation of HIPAA security policies.
Related Articles:
HIPAA Security Lessons from a Michigan Healthcare CIO
HealthITSecurity.com recently conducted an interview with Frank Fear, CIO of Memorial Hospital in Michigan, a medium-sized healthcare organization with approximately 1,000 desktops to manage. Learn from his lessons and a few from us to create a completely secure and efficient … Continue reading →
Be a Beneficiary of EMR Systems, Not a Victim
EMR: A three-letter acronym that evokes four-letter word-style reaction from many in the healthcare industry. But there’s no need for soap in the mouth, says Sandy Vosk and Steven Caruso. In fact, the chief operating officer and president of ImageDoc … Continue reading →
References:
Site Flaw Puts Patient Data on Google
Physicians’-Notes Vendor to Brentwood-based Cogent Health Has Security Lapse