Page 38 - CDM-Cyber-Warnings-January-2014
P. 38
have the budget but no time, while smaller entities may have time but no budget. In either case both are at risk as are their Business Associates. 4. Do the increased penalties ($1.5 million per violation) for non-compliance drive healthcare providers to address the needs to prevent, contain, and report on data breaches? QSA: By the time forensics and legal get through with a breach, the $1.5 million per violation is not nearly enough incentive to move organizations to action. Smaller entities will close up shop, larger entities will clog up the legal system till settlement occurs. LEO: The penalties will obviously get the attention of all parties involved. However, if a company fires a member of their staff for a breach, the “culprit” will not be harmed in pursuing other jobs with similar responsibilities. In order to have a major impact on problem employees that purposely disclose HIPAA information either for their financial gain or someone else’s, laws concerning the disclosure of employee terminations will have to be amended so that other companies will not get stuck hiring an employee who has been involved in multiple breaches. 5. What do you think of the Breach Notification Rule? QSA: Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures. Again we are back to the liberal stance of the Rule. An entity will be best served having an attorney at their side as they work through the issues related to a breach. 6. How does HIPAA mandates to “maintain and transmit” patient Protected Health Information (PHI) records impact a healthcare stakeholder in securing email, by encryption and archiving? QSA: The PCI DSS is ahead of these requirements. Many entities are just now coming into Meaningful Use. The next challenge will be meeting the mandates mentioned. If you look at the PCI requirements, the keys for encryption must be managed as well as the storage of restricted card holder data. Early PCI adopters struggled with this and I expect the mandates will be a challenge for those who are coming into Meaningful Use as well as ICD-10. 7. Of the 4 new rules for HIPPA (1. Business Associates liable for breaches; 2. Patient rights to obtain electronic copies of personal health information; 3. Patient restriction rights on disclosing their PHI; 4. Breach Notification rule in which any disclosure of PHI is presumed to be a breach) which one will have the biggest impact on the healthcare industry? And why? + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *
