The Health Insurance Portability and Accountability Act of 1996 (HIPAA) began the move to protecting the privacy of patients data. It limited how health records could be shared, how they were stored, and even mandated the shredding of old records.
HIPAA moved the health care industry to increase document security procedures. While successful at increasing security, the Department of Health and Human Services (HHS) did a poor job of enforcing the rule.
Very few practices and hospitals were penalized when poor data security was disclosed.
The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 further expanded the security requirements for medical records. Another goal of the act was to incent medical practices for scanning medical records to electronic health records (EHRs). It introduced a requirement for organizations to disclose data breaches. Another change was the introduction to a tiered system for issuing fines.
There are two things in HITECH that pose a greater risk to every health care provider. The first is the move to EHRs. It is easier to have physical security for paper records. It is more difficult when the records are available on public networks. Medical practices now need experts in computer and network security.
Now a security breach is not just taking the records of a few patients but it could be millions of records. For example consider how many patients’ data can be held on one backup drive. It could easily be millions of records per drive. So it is harder to secure EHRs and a breach is much larger.
Lets look at the fines that HITECH imposes for a data breach:
If the person did not know (and by exercising reasonable due diligence would not have known) that he or she violated the law, the penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
If the violation was due to reasonable cause and not to willful neglect, the penalty shall be at least $1000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
If the violation was due to willful neglect and the violation was corrected, the penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
If the violation was due to willful neglect and was not corrected, the penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
In a recent hearing of the Senate Judiciary Committee’s privacy, technology and law subcommittee, the enforcement of HITECH came into question. The chair of the subcommittee, Senator Al Franken of Minnesota said the enforcement of the existing rules is, “simply not satisfactory.” So it is fair to assume that HHS is going to step up their enforcement and fines.
How to Protect Your Company from a Data Breach
There are some basics things that every organization can do to protect their patients’ information and avoid the crippling fines from a data breach. The first is to encrypt all data. While very important, healthcare has been slow to implement.
Speaking before a Senate subcommittee hearing, Deven McGraw, the director of the Health Privacy Project at the Center for Democracy and Technology said, “We know from the statistics on breaches that have occurred since the notification provisions went into effect in 2009 that the health care industry appears to be rarely encrypting data.”
All patient data should be encrypted. If magnetic media is ever breached it is very unlikely that it can be accessed. This eliminates the need to notify patients of a breach and saves the organization from the punitive fines.
One of the benefits of EHRs is the ability to back up all the data. A basic tenant of any backup strategy is to keep one copy offsite. The backups should be treated with the same care as the originals. A tape rotation service can offer security and the proper care of the magnetic media.
Avoid taking backup tapes home. This is the weak link in the security chain and is the source of most health care data breaches. The tapes should always be transported securely and stored securely.
Looking for a Secure Backup Tape Rotation and/or Vaulting Service?
Finding the right offsite tape storage company does not need to be a complicated process. Record Nations provides tape offsite storage and makes finding the right tape rotation service easy.
There are several offsite tape vaulting services out there to choose from. Let our experts help you find the service that makes the most sense for your business.
To get started, fill out the form to the right, or give us a call at (866) 385-3706. Within the next few minutes, you will be contacted by up to four tape rotation and storage experts who can assist you.