This Boston-based teaching hospital of Harvard Medical School has also agreed to a corrective action plan similar to the one in the case of Alaska DHSS, including reviewing, revising, and maintaining policies and procedures for HIPAA security compliance. In addition to this, the agreement also requires the organization to get an independent monitor to conduct assessment of compliance with the corrective action plan and submit semi-annual reports to the Department of Health and Human Services for a period of three years.

Industry experts are of the opinion that this incident yet again reinforces the need for organizations to improve their HIPAA compliance efforts. Rebecca Herold, an independent security consultant who heads the firm Rebecca Herold & Associates stated that organizations of all sizes that possess protected health information should implement long-held, proven, and widely accepted security measures for all types of personal data. She further said that many organizations take a wait-and-see approach for implementing security controls. They want to be told to implement encryption, employee training etc. before making any such investment. They do not want to take action unless it is proven that these security measures are absolutely necessary.

Entities should understand that preventing a breach would cost significantly lesser than paying a penalty and taking corrective action after a breach has occurred and the reputation of the organization is lost. In the case of Massachusetts Hospital OCR launched an investigation after the theft of a laptop was reported in February 2010. This unencrypted laptop contained information on more than 3500 patients as well as 68 participants in a research project.

The investigation revealed that the hospital had failed to take necessary steps to comply with some requirements of the HIPAA security rule including conducting risk analysis, implementing adequate security measures, and adopting policies for restricted access to protected health information. It was also found that these failures had continued over an extended period of time, thus demonstrating long-term disregard for HIPAA norms.

This is the second time in three months that a huge penalty has stemmed from a small breach. This incident further highlights the need to be fully compliant with HIPAA rules at any given point in time. This is possible only with a solution like SecureGRC, which will take care of all the security requirements with its in-built HIPAA compliance framework, and allow organizations to steer clear of security challenges.

The post A Small Breach, But a Big Fine Once Again appeared first on Aegify.

Elizabeth Holland, Director of HIT Initiative Group of CMS’ Office of e-Health Standards and Services said that HIPAA is now being reinforced, and that there will be added emphasis on the privacy and security of patient information as people are wary about the confidentiality of their health records when they go electronic.

So, conducting effective risk assessment of EHR and safeguarding EHR from vulnerabilities are now not only a part of HIPAA’s security rules, but also clearly a requirement as per the Stage 2 rule of Meaningful Use. However, the requirements of both these rules are not really identical. According to Elizabeth Holland, while HIPAA doesn’t require annual risk assessment, for the Meaningful Use program, risk assessments have to be conducted every year and these assessments must more specifically address data encryption for EHR.

While the final Stage 2 rule has adopted most of the provisions of HIPAA, there are some noteworthy differences too:

• Firstly, the proposed rule requires encryption to be enabled as a default setting on EHRs, and the ability to disable this setting should be limited
• Secondly, the rule which expands the accounting for disclosure obligations for patient data in electronic form is not yet final, but the proposed Stage 2 rule recommends this as an “optional” criterion to meet the certification obligations of Stage 2

While the proposed certification rule included certain technical requirements in dealing with patient requests for amending electronic data, the final rule allows some flexibility in this capability.

So it is quite evident that if you are complying with HIPAA, you should be easily able to meet the Stage 2 requirements of Meaningful Use. But, it is important to remember that this intertwining of HIPAA and Meaningful Use rules also means that if you are not complying with one of them, you may be violating both. This reinforces the need for a solution like SecureGRC which can help you meet the requirements of HIPAA effectively by safeguarding health records in a comprehensive manner, while also ensuring that you significantly benefit from ‘Meaningful Use’ of EHR.

The post HIPAA and Meaningful Use Now Tightly Intertwined appeared first on Aegify.