This week Sheri Garver, Senior Advisor of Regulatory Compliance at PacketWatch, shares four Health Insurance Portability and Accountability Act (HIPAA) myths.
If you need assistance with your HIPAA compliance program or conducting a security risk analysis, contact PacketWatch today.
Myth #1: "My healthcare organization has cybersecurity insurance, so I don’t need a HIPAA program."
False. Healthcare organizations and business associates are required to comply with HIPAA requirements. When you sign a cybersecurity insurance policy, you attest that the organization complies with the Security Rule.
Misrepresentation of your business’s security program will most likely void your policy. If a cyber-attack impacts the organization and the insurance company discovers you didn’t implement a HIPAA program, they won’t pay the claim.
Myth #2: It isn’t necessary to complete a security risk analysis.
False.An Arizona Hospital failed to conduct a security risk analysis and had to pay the Office for Civil Rights (OCR) $1.25 million dollars.
The lack of the assessment provided a vulnerable environment for a threat actor to access 2.81 million patient health information records.
In addition to the financial penalty, the health organization was issued a comprehensive corrective action plan that will be monitored by OCR for two years.
Myth #3: Our patient health records are secure because they are stored on a server.
True andFalse. This is true if safeguards are established, continuously updated, and monitored to protect patient health information.
Obviously, this is false if proper measures are not implemented to secure a server.
Don’t wait for a data breach to discover whether your server is insecure; conduct a security risk analysis to confirm (or not) the current security posture, and take proactive remedial action if not.
For example, an FTP server that contained patient health information for 230,572 individuals was unsecured and accessible on the internet. Conducting a security risk analysis and implementing appropriate safeguards would have saved the offending company $350,000 and prevented reputational damage.
Myth #4: Our HIPAA policies and procedures will protect us from fines and penalties from OCR.
True. Policies and procedures that contain the proper information to meet the regulatory requirements, are continuously reviewed or revised after a significant event, and are communicated effectively to employees and non-employees will provide proper guidance to comply with HIPAA requirements.
Sheri Garver has nearly two decades of professional accreditation and compliance background. She is the Senior Advisor of Regulatory Compliance for PacketWatch, a premier cybersecurity firm in Scottsdale, Arizona.
If you need help with your compliance or accreditation programs, please contact PacketWatch so we can discuss how we can help your organization meet and exceed its compliance goals.