Is Your Organization HIPAA Healthy?

What’s new and different with HIPAA?

On August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued new data breach notification regulations for healthcare providers, health plans and other entities that are covered by the Health Insurance Portability and Accountability Act (HIPAA).

These tougher regulations impose stiffer penalties and are designed to strengthen HIPAA. They are tied to provisions of the Health Information Technology for Economic Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) signed by President Obama.

The new HIPAA regulations took effect on September 23, 2009, and the The HITECH Act became effective on February 18, 2010.

Who needs to be notified when a data breach occurs?

Notification requirements for unsecured (not encrypted) protected health information:

A data breach affecting more than 500 people must be reported immediately to:

  • HHS
  • Major media outlets
  • Individuals affected by the breach

A data breach affecting less than 500 people must be reported to:

  • HHS secretary on an annual basis
  • Individuals affected by the breach

Business associates are also required to notify each other of any data breach occurrences. The covered entity, rather than the individual, is notified in these instances.

Organizations that have an effective data protection policy in place and encrypt protected health information to make it unusable, unreadable or indecipherable to unauthorized individuals are exempt from these notification requirements.

For more information:HIPAA's Health Information Privacy page and the full text (PDF) of the new ruling, "Breach Notification for Unsecured Protected Health Information; Interim Final Rule."What are the financial repercussions of a data breach?

Fines have increased significantly with the latest HIPAA update. An organization can now be fined up to 1.5 million USD per calendar year for each violation.

In addition, individuals who have been affected by a HIPAA data breach can now receive a percentage of a civil monetary penalty or monetary settlement. This financial provision may be enough of an incentive for organizations to comply with HIPAA.

Furthermore, an organization that suffers a data breach will not only be subjected to fines, but also incur monetary expenses associated with notifying people affected by a breach. Once emails, first-class mailings, toll-free numbers, media outreach, man-hours and more are tabulated, a breach can quickly turn into an avoidable multimillion-dollar issue.

How does Sophos help organizations stay HIPAA compliant?

Sophos encryption provides "safe harbor" from breach notifications
Sophos products provide multi-layered security that includes full disk encryption, port control and data loss prevention. Data is protected throughout its entire lifecycle (i.e., at rest, in motion, in use and disposal) and at all locations from the organization’s core to the endpoints.

Sophos delivers comprehensive data security
Sophos products protect the confidentiality of your data and safeguard the brand and reputation of your organization while allowing legitimate users—patients, doctors, staff and business partners—to maximize their productivity, confident that sensitive health information is secure.

download Download our free Virus Removal Tool
Find what your antivirus missed