SERVICES    KNOWLEGE BASE    NEWS    ABOUT US    PARTNERS    HELP

HITECH Requires Increased Security for Tape Rotation

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) began the move to protecting the privacy of patients data. It limited how health records could be shared, how they were stored, and even mandated the shredding of old records. HIPAA moved the health care industry to increase document security procedures. While successful at increasing security, the Department of Health and Human Services (HHS) did a poor job of enforcing the rule. Very few practices and hospitals were penalized when poor data security was disclosed.

The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 further expanded the security requirements for medical records. Another goal of the act was to incent medical practices for scanning medical records to electronic health records (EHRs). It introduced a requirement for organizations to disclose data breaches. Another change was the introduction to a tiered system for issuing fines.

There are two things in HITECH that pose a greater risk to every health care provider. The first is the move to EHRs. It is easier to have physical security for paper records. It is more difficult when the records are available on public networks. Medical practices now need experts in computer and network security. Now a security breach is not just taking the records of a few patients but it could be millions of records. For example consider how many patients' data can be held on one backup drive. It could easily be millions of records per drive. So it is harder to secure EHRs and a breach is much larger.

Lets look at the fines that HITECH imposes for a data breach:

If the person did not know (and by exercising reasonable due diligence would not have known) that he or she violated the law, the penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

If the violation was due to reasonable cause and not to willful neglect, the penalty shall be at least $1000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

If the violation was due to willful neglect and the violation was corrected, the penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

If the violation was due to willful neglect and was not corrected, the penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

In a recent hearing of the Senate Judiciary Committee's privacy, technology and law subcommittee, the enforcement of HITECH came into question. The chair of the subcommittee, Senator Al Franken of Minnesota said the enforcement of the existing rules is, "simply not satisfactory." So it is fair to assume that HHS is going to step up their enforcement and fines.

There are some basics things that every organization can do to protect their patients' information and avoid the crippling fines from a data breach. The first is to encrypt all data. While very important, healthcare has been slow to implement. Speaking before a Senate subcommittee hearing, Deven McGraw, the director of the Health Privacy Project at the Center for Democracy and Technology said, “We know from the statistics on breaches that have occurred since the notification provisions went into effect in 2009 that the health care industry appears to be rarely encrypting data.”

All patient data should be encrypted. If magnetic media is ever breached it is very unlikely that it can be accessed. This eliminates the need to notify patients of a breach and saves the organization from the punitive fines.

One of the benefits of EHRs is the ability to back up all the data. A basic tenant of any backup strategy is to keep one copy offsite. The backups should be treated with the same care as the originals. A tape rotation service can offer security and the proper care of the magnetic media. Avoid taking backup tapes home. This is the weak link in the security chain and is the source of most health care data breaches. The tapes should always be transported securely and stored securely.

 

Tweet

Get the news on Records Information Management

Medical Records Management

Buyers Guide for Electronic Document Management Systems (EDMS)

HITECH Mandates Better Security for Tape Rotation

Prepare your Business for a Disaster

How to Choose a Document Storage Service

Types of Microfilm

Scanning Methods

Top Scanning Trends of 2010

How to Start a Scanning Project

HHS Issues Rules for Scanning Grants

Prevent Corporate Brain Drain with Document Scanning

U.S. Census Faces the Challenges of Document Management

Common Tape Rotation Schemes

Why Doctors Are Reluctant to Embrace Electronic Medical Record

10 Reasons for Document Scanning

What is a Redaction Service?

Saving Money and Going Green with Scanning and Shredding

How to Choose an Electronic Medical Records (EMR) System

Government Guidelines for Electronic Document Storage

How to Choose a Scanner

Scan or Store?

How to Prepare for Scanning

Disaster Recovery

Document Storage on Microfilm

Business Records Retention

Corporate Spies

866.385.3706 | Contact | Terms and Conditions | Privacy Policy | Site Map | Copyright ©2012 DataGuard USA