Is Your Organization HIPAA Healthy?

What’s new and different with HIPAA?Security Trends


The Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects the privacy and security of individuals' health information, defined as “protected health information” (PHI). HIPAA is concerned largely with private data protection at rest, during transactions, and as it travels on network connections.

HIPAA was updated with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which created a number of interim rules for better defining protected healthcare data, affected parties, breach disclosure, penalties and enforcement of penalties against covered entities and business associates.

The Cost of a Data Breach

With tougher regulations come stiffer penalties. HIPAA now levies fines for sensitive data exposure, and more and more states are tightening their data privacy laws. As of 2014, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands all have data protection and privacy laws on the books.

The HITECH Act requires covered entities to notify affected individuals and the Secretary of the U.S. Department of Health and Human Services (HHS) in the event of a PHI breach. The notification requirements vary based on the amount of data breached.

Data breaches affecting more than 500 people must be reported immediately to:

  • HHS
  • Major media outlets
  • Individuals affected by the breach

Data breaches affecting less than 500 people must be reported to:

  • HHS secretary on an annual basis
  • Individuals affected by the breach

Business associates are also required to notify each other of any data breach occurrences. The covered entity, rather than the individual, is notified in these instances.

Once emails, first-class mailings, toll-free numbers, media outreach, man-hours and more are tabulated, the monetary expenses associated with notifying people affected by a breach can quickly turn into an avoidable multimillion-dollar issue. The good news? Organizations that have an effective data protection policy in place and encrypt PHI to make it unusable, unreadable or indecipherable to unauthorized individuals are exempt from these notification requirements.

But if the negative PR impact, possible loss of business, and reputation damage of data breaches aren’t enough of an incentive to comply with HIPAA, the significantly increased fines may be:

  • Organizations can now be fined up to $1.5 million per calendar year for each violation
  • Affected individuals can receive a percentage of a civil monetary penalty or settlement

How to Achieve HIPAA/HITECH Compliance

Again, it’s not all gloom and doom when it comes to HIPAA compliance. Sophos offers several resources to help healthcare organizations understand and comply with HIPAA regulations.

  • Regulations and Standards: Where Encryption Applies: HIPAA and other data protection regulations are changing to accommodate the ever-growing threat to sensitive data. This whitepaper describes the different types of data under regulation and offers best practices for implementing appropriate encryption technologies.
  • HIPAA/HITECH Compliance for Healthcare Organizations: This solution brief reviews the HITECH Act data breach notification requirements and how Sophos solutions can help you get and stay compliant.
  • Healthcare EMM Buyers Guide: Physicians and other healthcare providers want to use mobile devices on the job. BYOD is a great opportunity to provide better and more efficient patient care. But mobile devices also present a risk to PHI. How do you enable secure access from mobile devices without hindering doctors on the job? This guide reviews factors to consider when shopping for an enterprise mobility management solution that best fits your needs.
  • Healthcare Case Studies: Discover how we’ve helped healthcare organizations meet compliance mandates and protect valuable electronic medical records and PHI against data loss.
  • Sophos Blog Articles: Get the latest on all things encryption by visiting our Sophos company blog.

Stay compliant! Learn more about our SafeGuard Encryption solution. Get a free trial or no-obligation quote to evaluate whether our solution is right for your organization.

Free Trial     Free Quote