Filter by Category

Dealing with the HITECH Requirements of HIPAA

Last November, six hospitals and one nursing home were fined in California for data security breaches related to patient healthcare records. The total fines were $792,500 by the California Attorney General. The cause? The facilities failed to prevent unauthorized access to confidential patient medical information.

While these breaches made headline news in California, they were but the tip of the iceberg of the total healthcare record breaches in 2010. According to the Privacy Rights Clearinghouse, there were 592 reported healthcare data security breaches last year, which potentially exposed more than 11.5 million records. This was double the breaches of healthcare facilities in 2009, opening severe liabilities to the organizations that housed those patient records.

So what now? If your organization can be fined for failing to prevent unauthorized access, how can you safeguard your company's healthcare records?

What is HITECH?

Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, extended the complete Privacy and Security Provisions of HIPAA to business associates of covered entities. This includes the extension of newly updated civil and criminal penalties to business associates.  On November 30, 2009, the regulations associated with the new enhancements to HIPAA enforcement took effect.

What's it mean? If your company merely does business with an organization that is involved with healthcare records, HITECH says that you are liable for any security breaches on your watch that reveal patient vital healthcare information. This could include things like names, addresses, social security and Medicare/Medicaid numbers, or any info that could lead to misuse of healthcare information.

So how can your company protect itself from this liability?

The Department of Health and Human Services (DHHS) interim Security Rule says that "a covered entity must consider implementing encryption as a method for safeguarding electronic protected health information." The DHHS rule does permit something called "comparable methods" in lieu of encryption, but it does not specify what those methods might be.

Encryption vs. Comparable Methods: The Vague Alternatives

To determine if your company can provide security through some so-called "comparable method" it's important to look at the types of breaches that occurred in the past. The Privacy Rights Clearinghouse provides a good free search service to investigate at http://www.privacyrights.org.

By looking through the types of breaches that occurred in 2010, (stolen laptops, doctors emailing records to their home computers, lost or missing flash drives, unauthorized browsing by employees), the first question that you should be asking is "Can our organization really secure all those potential mechanisms for data theft without relying upon encryption?" It's a difficult task, and the resources that your organization will expend (hardware solutions, policy solutions, etc.) can be significant.

Still, the monetary fines for failing to provide adequate protection are severe, and your management may decide that a thorough review of your security will be required.

By comparison, implementing encryption technology like Crypto Complete - is undoubtedly a faster and more cost-effective means. Crypto Complete encrypts sensitive data at the source using integrated key management, complete with auditing, field encryption and backup encryption, without interrupting the normal IT workflow. Data encryption permits the source of information itself to be put under a lock and key, and once encrypted, that data is protected from both unlawful use and the HITECH liability rule.

Now is the Time to Investigate

Finally, consider the downside of ignoring the HITECH rules? Take a look at one attorney's perspective "Responding to an Electronic Medical Records Security Breach: What Every Health Care Provider Needs to Know" to get a handle on the steps for determining the scope of the law. You'll be surprised at how comprehensive the requirements have become, and why your management should be concerned.

Encrypting your data is the most recognized, safest and least expensive means of protecting your organization from liability from unauthorized access. If you've been to putting off addressing the potential pitfall of unauthorized access to your data, now is the time to investigate.

Latest Posts


iPaaS and MFT: What You Need to Know

September 24, 2020

Once upon a time, you carried an MP3 player to listen to music, a cell phone to text and make calls, and a book if you wanted to read. Video games and the internet? Best to use your preferred gaming…


What is Electronic File Transfer?

September 22, 2020

Meet Electronic File Transfer If your IT department is still relying on outdated methods like FTP, PC tools, or legacy scripts to meet your organization’s data transfer needs, now is the time to…


What is a Cloud Connector?

September 17, 2020

The cloud and all its possibilities for connecting with customers, vendors, trading partners, and more is exciting. Managing your organization’s transition to the cloud – whether you’re…


How Amazon Web Services Works with GoAnywhere MFT

September 16, 2020

“Alexa, What is MFT?” While that may not be a question you’ve ever asked your virtual assistant, it’s not outside the realm of possibility – Amazon has quickly become ubiquitous for online…


Why You Should Use Scheduled File Transfer Software

September 15, 2020

Have you set up Amazon auto-deliveries? Installed a smart thermostat to keep your house the perfect temperature throughout the day? Approved auto-pay for your bills? Today’s world makes it easy to…