Technological growth has empowered today’s healthcare industry with a number of software applications and IT infrastructure which enables them to communicate, store and process patient health information the digital way. However, with cyber threat lurking above the IT enabled environment, the Office for Civil Rights had enforced the HIPAA Privacy Rule, as a sequel to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which established rules protecting the privacy and security of personal health data.
The HIPAA Privacy rule was aimed to protect the privacy of individually identifiable health information. Along with this the OCR also brought out the HIPAA Security Rule, which sets national standards for the security of electronic protected health information. The HIPAA Breach Notification Rule requires covered entities and business associates to notify following a breach of unsecured protected health information and the confidentiality provisions of the Patient Safety Rule that protect identifiable information used to analyse patient safety events and improve patient safety.
HIPAA is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat private health information. With penalties for HIPAA violations being substantially high, legal experts are analysing the impact of Connecticut Supreme Court’s ruling whether plaintiffs can sue a healthcare provider for negligence if HIPAA regulations have been violated by not protecting the privacy of patients. As per the HIPAA Security Rule, OCR has set national standards for the security of protected health information (PHI) that is created, stored, transmitted, or received electronically.
However, as methods to ensure the confidentiality, integrity, and availability of ePHI data, the HIPAA Security Rule requires medical practitioners, covered entities, business associates and consumers to implement a series of administrative, physical, and technical safeguards when working with ePHI data. The Connecticut case of Emily Byrne vs. Avery Centre for Obstetrics and Gynaecology which involved a patient who sued a healthcare clinic that released her medical records to a third party without her authorization, falls into one of 10 types of HIPAA violation. Failure to comply with HIPAA requirements leads to civil and criminal penalties that applies to both covered entities and individuals.
The covered entities and business associates should therefore take adequate steps to ensure that the patient data is safe from any sort of data breach. The HIPAA/HITECH Security and Compliance management solution, Aegify, is a continuous security monitoring and compliance management solution that is built on a framework approach and allows covered entities and business associates to gain control and improve compliance levels across HIPAA, HITECH, PCI, SOX, ISO, COBIT including country-specific regulations. Its built-in vulnerability scanning technology makes security and compliance monitoring simple and effective and is designed to facilitate both large hospitals as well as small and medium healthcare establishments and their business associates to continuously monitor security of PHI against any data breaches.