What Are the Repercussions of a Security Breach? Security breaches can result in loss of data, client trust, and potentially your business. Do you have the proper technical safeguards in place? Can your cybersecurity infrastructure withstand an attempted breach?

These are the Details Part 2

These are the Details Part 2

These are the Details Part 2

These are the Details Part 2

These are the Details Part 2

What is Protected Health Information (PHI)?

The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 law that regulates privacy standards in the healthcare sector. In the early 1990s, it became clear that computers and digital records would come to play a large role storing health data and that something should be done to protect sensitive information as technology changes the medical field. Since 1996, Congress has passed additional laws to adapt HIPAA to fit new technological advancements. Today, the law serves mostly the same purpose: to safeguard Protected Health Information (PHI) in order to keep individuals safe1.
Most HIPAA rules and regulations revolve around protecting PHI. Therefore, understanding how to handle PHI is essential for achieving HIPAA compliance.
First, you need to know what PHI is; HIPAA defines Protected Health Information (PHI) as any health-related information combined with a unique identifier that matches a particular individual.
Identifiers include, but are not limited to: Date of birth, Address, Social security number, Email address, Phone number.
Consider other data elements that could be an identifier (and therefore Protected Health Information) which are often overlooked:
MAC address of the network card on a device, IP address of a device, Drivers license number, Biometric data (fingerprints, retina scans, etc), Medical record numbers, Medical device serial numbers, Health plan account numbers, Dates of visits, admission, discharge, and treatment, Payments/bills, Photographs, Diagnostic codes
If the data can be used to identify a patient, it should be considered as a possible identifier and treated as Protected Health Information (PHI).
Protected Health Information (PHI) includes information that is not current. For example, a hacker could use an old phone number or address to identify and individual. In its simplest form, Protected Health Information is the intersection between an identifier and health information.

How Might I Come Into Contact with Protected Health Information (PHI)?

Protected Health Information (PHI) exists in multiple forms: electronic (ePHI), verbal, and written. The same standards of privacy apply to all types. Your job may require you to know and use someone's PHI so they can pay for medical expenses or receive treatment. Everyone who interacts with PHI must understand how to protect it. The smallest slip-ups have the potential to cause a data breach.
When working with Protected Health Information (PHI), you should always observe the minimum necessary standard: use the minimum amount of PHI required to complete your task. In other words, it is important to keep the information you see to yourself; you may not discuss it with anyone, including co-workers.
The following members of your company are likely to see PHI: HR representatives, IT staff, health plan administrators, accounts payable, and company owners/executives. They must all use caution when handling this sensitive information.
If you see Protected Health Information (PHI) exposed in your office, alert your privacy officer or security officer.

Who is Protected by HIPAA?

HIPAA is a federal law that applies to everyone. Compromising anyone's Protected Health Information (PHI) is never acceptable or legal. All patients/employees have a right to have their personal health information kept private.

Who Needs to Comply with HIPAA?

All covered entities (including health care providers) must be HIPAA compliant. Covered entities are businesses that provide their employees with health insurance plans, medical, dental and vision providers.

HIPAA also applies to their Business Associates and Business Associate Subcontractors. They also must go through the process of becoming HIPAA compliant and securing Protected Health Information as well.

This includes filling out a Risk Assessment, training employees, and creating customer Security and Privacy Policies and Procedures. Vendors and third-party companies who work for Covered Entities often come into contact with Protected Health Information (PHI). For example, accountants, attorneys, document shredding vendors, and IT vendors all qualify as Business Associates or Business Associate Subcontractors.

Therefore, if you work with any third party companies or vendors, you must have a signed Business Associate or Business Associate Subcontractor Agreement.

If a business associate or one of their subcontractors compromises protected information and you do not have a signed agreement, you can be held liable for their mistake. Some companies sign a BAA without meeting the requirement of completing the HIPAA compliance process. This can be a legal mess for both the Covered Entity and the Business Associate if there is a breach.

What are the Penalties for Violating HIPAA?

HIPAA violations occur when Covered Entities intentionally or unintentionally expose Protected Health Information.

There are consequences for employees and employers who violate HIPAA law. Companies can be sued by the Office of Civil Rights and individuals could face fines ranging from $100 to 250,000 per violation and imprisonment for one to ten years for major violations.

Additionally, HIPAA requires all businesses that touch PHI to adopt sanction policies. According to the level of the violation, sanctions include letters of reprimand, suspension without pay, and/or dismissal from the workforce.

Good Habits for Keeping Protected Health Information (PHI) Safe.

• When it comes to handling Protected Health Information (PHI), you can never be too careful. Adopt a clean desk policy to keep your workstation secure.

• Never leave your computer unlocked while you are away from your desk and store files in a secure place whenever you are not using them.

• Store files containing sensitive information/PHI in a locked filing cabinet.

• Obey your company's policies and procedures, even if it requires putting in a little more effort. These are in place to prevent data breaches, and they are only effective if everyone follows the rules. So, familiarize yourself with these procedures.

In conclusion, ignoring HIPAA rules about properly handling Protected Health Information (PHI) puts you at risk for hefty fines, potential lawsuits, and bad publicity. Above all, your reputation depends on how well you serve your clients.

Selecting a HIPAA Security Officer

For many companies handling Protected Health Information (PHI), ransomware attacks and other cybersecurity threats are a very real danger. Having a strong security program is important for keeping your company's information safe. This makes choosing your HIPAA Information Security Officer (ISO) a very important decision. Wouldn't it be nice to have a security expert in your back pocket? The reality is, most of us don't. Your Security Officer doesn't have to be a security expert, but they do need to have strong technical skills, know where your ePHI is stored, and understand what information Business Associates have access to. Having this knowledge will help your ISO be poised and ready for all HIPAA security risks.

What are the HIPAA Security Officer's responsibilities?

1. Understanding the HIPAA Security Rule and how it applies to the organization.
2. Adopting appropriate Security Policies and Procedures.
3. Overseeing the Security of ePHI within the company in all phases: Transit, Rest, and Storage.
4. Identifying and evaluating threats to the confidentiality and integrity of ePHI.
5. Responding to actual or suspected breaches of the confidentiality or integrity of ePHI.
6. Consulting with the Privacy Officer before contracting with any outside vendors (in a small organization the same person can fill both Privacy and Security roles).
7. Performing or coordinating periodic security audits of all computer systems and networks.
8. Arranging for all employees who handle ePHI to be trained on HIPAA and trained on the company's specific Security Policies.
9. Interfacing with HHS if there is an audit.
10. What should you look for in a HIPAA Security Officer?
11. Leadership; your ISO should be a leader in your company such as a manager or officer. The ISO should be able and willing to enforce the rules and sanction employees when necessary.
12. ISO's job involves a broad range of responsibilities, he or she will have to manage details thoroughly and successfully. With many details comes the need to have strong organizational skills, too. One of the ISO's most important responsibilities is completing a thorough Risk Assessment, which requires an in-depth understanding of the organization's administrative, physical and technical safeguards.
13. Your ISO should be able to manage the technical side of HIPAA security successfully. This may mean that other employees are designated to perform jobs relating to HIPAA security. Or, your ISO may choose to hire an outside IT vendor that can assist in security duties and problem solving.

Before you hire anyone, remember:

1. Any consultant who accesses your PHI is your Business Associate.
2. Audit any BA's Privacy and Security Policies and Procedures BEFORE granting access to your network.
3. Any HIPAA violations contractors create are legally your issues!
4. By law, someone in your organization has to fill the role of HIPAA Security Officer. The level of an ISO's expertise varies from organization to organization.
5. Even with all of the skills above, one person often can't navigate it alone and they shouldn't have to.
6. Your ISO can easily delegate responsibilities internally to help lighten his or her load. But if you choose to hire outside help, make sure the person understands not only IT but HIPAA, too.

Want to know more about how you can become HIPAA compliant?