Is your organization
HIPAA healthy?New regulations go into effect
September 23, 2009

What’s new and different with HIPAA?

On August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued new data breach notification regulations for healthcare providers, health plans and other entities that are covered by the Health Insurance Portability and Accountability Act (HIPAA).

These tougher regulations impose stiffer penalties and are designed to strengthen HIPAA. They are tied to provisions of the Health Information Technology for Economic Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) signed by President Obama.

The new data breach notification regulations go into effect on September 23, 2009.

Who needs to be notified when a data breach occurs?

Notification requirements for unsecured (not encrypted) protected health information:

• More than 500 people - A data breach affecting more than 500 people must be reported immediately to:
• HHS
• Major media outlets
• Individuals affected by the breach

• Less than 500 people - A data breach affecting less than 500 people must be reported to:
• HHS secretary on an annual basis
• Individuals affected by the breach

In addition, business associates are also required to notify each other of any data breach occurrences. The covered entity, rather than the individual, is notified in these instances.

Organizations that have an effective data protection policy in place and encrypt protected health information to make it unusable, unreadable or indecipherable to unauthorized individuals are exempt from these notification requirements.

For more information: HIPAA's Health Information Privacy page and the full text (PDF) of the new ruling, "Breach Notification for Unsecured Protected Health Information; Interim Final Rule."

What are the financial repercussions of a breach?

The fines for data breaches have increased significantly with the latest HIPAA update. An organization can now be fined up to $1,500,000 per calendar year for each violation.

In addition, individuals who have been affected by a HIPAA data breach can now receive a percentage of a civil monetary penalty or monetary settlement. This financial provision may be enough of an incentive for organizations to comply with HIPAA.

In addition to fines, an organization that has a data breach will incur monetary expenses associated with notifying people affected by a breach. Once emails, first-class mailings, toll-free numbers, media outreach, man-hours and more are tabulated, a breach can quickly turn into an avoidable multimillion-dollar issue.

Sophos SafeGuard encryption products provide proactive protection against data breaches.

How does Sophos help organizations stay HIPAA compliant?

Sophos delivers comprehensive data security

Sophos solutions protect the confidentiality of your data and safeguard the brand and reputation of your organization while allowing legitimate users—patients, doctors, staff and business partners—to maximize their productivity, confident that sensitive health information is secure.

Sophos solutions provide multi-layered security that includes full disk encryption, port control and data leak prevention. Data is protected throughout its entire lifecycle (i.e., at rest, in motion, in use and disposal) and at all locations from the organization’s core to the endpoints.