How to avoid a HIPAA breach

In February, 2014, Puerto Rican insurer Triple S Salud revealed that it will face a $6.8 million fine for breaching the Health Insurance Portability and Accountability Act (HIPAA), a third steeper than previous fines for HIPAA violations.

In 2013, Triple S mailed a pamphlet displaying the Medicare Health Insurance Claim Number (HICN) of approximately 70,000 of its Medicare Advantage beneficiaries. The HICN is a unique government identifier and considered protected health information under HIPAA. Even though Triple S investigated and reported the incident to federal government agencies, issued a breach notification, notified all affected beneficiaries, and offered twelve months of free credit monitoring and identity protection, the Puerto Rico Health Insurance Administration found that Triple S failed to meet HIPAA requirements and therefore issued the $6.8 million fine.

A lack of confidence and clarity around US healthcare information has notoriously been a concern for both covered entities and beneficiaries for a long time. A survey conducted by HP in the United States in 2010 suggested then that the healthcare sector is lacking in information strategies and technologies to secure its data. It was found that:

  • 17% of healthcare organizations do not have a strategy for managing their data.
  • 51% of healthcare organizations rank compliance with legal, regulatory, and internal governance standards as the prime drive for their information strategy, rather than a need to facilitate collaboration across departments, functions and locations (28%).
  • 48% of healthcare organizations said that information flows informally based on personal relationships between employees.

Covered entities that need to meet compliance with HIPAA can use ISO27001:2013, the internationally-recognized information security standard. This standard enables you to pick the controls that best suit your business, stakeholders, and compliance requirements, and then manage them in a consistent and continuous way. The No 3 Comprehensive ISO27001 2013 ISMS Toolkit provides a complete solution to managing healthcare information by offering:

  • ISO27001:2013 ISMS Documentation Toolkit – pre-written documentation by ISO27001 consultant to save you months of work in preparing and maintaining the documentation for meeting compliance.
  • Complete set of ISO27001 Standards for guidance.
  • Supplementary books to aid you throughout implementation.
  • vsRisk – automated risk assessment tool.

Find out about ISO27001.

More information on the HIPAA Breach Notification Rule can be found here.


One Response

  1. Heather McFarland November 18, 2014