It’s not only a moral imperative but a legislated necessity for organizations to safeguard the medical information they hold. The Health Insurance Portability and Accountability Act (HIPAA)’s Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
Incidents reported in 2015
- A statement from UMass Memorial Medical Group in Worcester, MA, admitted that a former employee accessed thousands of patient billing records, which included “patients’ names, addresses, dates of birth, medical record numbers, and Social Security numbers”. The data breach was discovered in April 2014, but law enforcement has only just granted the Group permission to notify some 14,000 affected patients, as mandated by HIPAA.
- California Pacific Medical Center (CPMC) revealed that a former pharmacist employee may have accessed the records of 844 patients between October 2013 and October 2014 with no business or treatment purpose. CPMC found “no evidence of a malicious intent” and “believes that the employee accessed the information out of curiosity”. The affected patients have nevertheless been notified, in accordance with HIPAA.
- In Albany, NY, “St Peter’s Health Partners is warning of a possible data breach in its email system” after the theft of an unencrypted cellphone, according to a Times Union report. Emails stored on the phone may have included information relating to appointments scheduled between August and November 2014, but not medical information. 5,117 affected patients have been notified, as mandated by HIPAA.
- According to Nextgov, a data breach first reported by the United States Postal Service last November may have compromised the health information of 485,000 employees as well as the names, addresses, birth dates, and Social Security numbers of 750,000 employees and 2.9 million customers that were originally thought to be affected. The health information was stored “in a file relating to injury compensation claims”. Although the USPS is not a HIPAA covered entity, this breach is covered by federal privacy legislation.
- TRH Health Plan has informed about 80,000 members that BlueCross BlueShield of Tennessee, one of its administrative partners, had inappropriately used their information for marketing purposes. The misuse of patient information is a violation of HIPAA.
HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 certification. In addition to this, the external validation offered by ISO 27001 certification is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector or location, from under $600.
Civil Monetary Penalties (CMPs) for HIPAA violations can be as much as $50,000 per violated record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.