Advocate Health Care Network has been ordered to pay one of the largest ever HIPAA settlements in history ($5.5 million) after violating the Act’s regulations.
The Office for Civil Rights (OCR) investigated Advocate after it reported three separate data breaches between July and November 2013. These breaches affected more than 4 million patient records, hence the size of the settlement.
The OCR found that Advocate had failed to:
- conduct a thorough risk analysis of all of its facilities and equipment;
- implement policies and procedures to limit physical access to the administrative building from which desktops containing protected health information (PHI) were stolen;
- reasonably safeguard electronic PHI (ePHI); and
- enter into a HIPAA-compliant business associate agreement with its billing company to assure that the billing company would appropriately safeguard all ePHI in its possession.
This history-making settlement highlights the significant consequences of failing to comply with HIPAA.
Health care breaches in 2016
Despite 74% of US citizens ranking health care providers as most trusted when it comes to online privacy, there have already been 164 health care data breaches submitted to the US Department of Health and Human Services (HHS) this year, affecting more than 4.6 million people.
The largest is 21st Century Oncology, which compromised over 2.2 million people’s data in April.
As with any organization, managing sensitive information across many sites, domains, servers, and people is never going to be easy. The more data you have, and the more locations you can access it from, dramatically increases the risk of compromise.
How ISO 27001 can help you comply with HIPAA
Health care organizations are increasingly required to comply with multiple cybersecurity laws and regulations (such as SOX, HIPAA, the PCI DSS, and the GLBA). Combined with protecting millions of people’s data, compliance can cause complete havoc even in the most organized of businesses.
As a result, we are now seeing more organizations seek registration to ISO 27001, the internationally recognized information security standard for creating and maintaining an ISMS (information security management system).
ISO 27001 can centralize and simplify disjointed compliance efforts. It is often the case that companies will achieve compliance with a host of related legislative frameworks simply by achieving ISO 27001 registration.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
Implement an ISO 27001-compliant ISMS
To help you along your ISO 27001 implementation journey, the ISO 27001 ISMS Documentation Toolkit will help you quickly and easily build your ISMS. It provides customizable documentation templates and expert guidance from ISO 27001 auditors.