Does your organization treat HIPAA compliance as kismet or karma?
That depends on whether you are reactive or proactive when it comes to the security controls your organization has implemented to help protect PHI and other sensitive information.
“Are we reacting to compliance requirements, which would be kismet? Or do we have in place a proactive compliance and security program to ensure we are in fact managing the risks in the environment appropriately?” asked Ali Pabrai, MSEE, CISSP, (ISSAP, ISSMP), chief executive of ecfirst, a California-based information security and compliance company.
Recent headlines have put the spotlight on the need for cyber security, Pabrai told the audience at the 21st National HIPAA Summit in Washington, D.C. For instance, Chinese hackers gained control of one employee’s computer at The New York Times and were able to compromise the company’s entire network. These kinds of cyber threats take place across many different industries and countries, he said.
Q. A long-term care facility has deployed laptops that connect to a file server and are password protected. The laptops are not used to store PHI or other confidential data and are not removed from the facility. Do the laptop hard drives need to be encrypted?
A. No. If no PHI or other confidential information is stored on the laptops and they remain on-site, the risk associated with data loss is minimal. If the laptops are stolen, it would not be a breach of unsecure PHI.
Answered by: by Chris Apgar, CISSP, for Briefings on HIPAA.
Goodbye, mailed prescription notices from CVS.
CVS will stop in July the practice of mailing prescription refill notices to consumers on behalf of pharmaceutical companies because of the new HIPAA omnibus rule, Modern Healthcare reports.
Mike DeAngelis, director of public relations at CVS/pharmacy, e-mailed Modern and wrote, ”Over the years, we have collaborated with pharmaceutical companies to improve patient compliance to medication dispensed in our retail pharmacies by mailing select refill reminders to encourage and improve their medication adherence.
“However, in light of the recent HIPAA omnibus rule effective this September that places new restrictions on the usage of [personal health information], we have decided to end supplier-funded refill reminders through our retail business.”
OCR has reported 31 large patient information breaches in less than two months, according to its breach notification website.
OCR, the HIPAA privacy and security enforcer, had reported 543 patient-information breaches affecting 500 or more individuals as of March 1. That number rose to 556 as of March 16 and as of May 10 was at 587. The total number of breach reports of this kind reached 502 as of late October and 525 to start 2013.
OCR began posting the breaches per HITECH in February 2010. In about three years, OCR has reported an average of about 15 breaches per month, or one every other day. The breaches date back to September 2009 but began appearing online in February 2010.
Health social networking sites (HSNS) have a number of privacy and security issues of which hospitals and consumers must be aware, according to an article by the American Medical Informatics Association (AMIA).
Sites may maintain a vast repository of users’ profiles and keep it permanently, according to the AMIA. Users, they wrote, are increasingly sharing their private details on such sites and, for some people, privacy takes a back seat to the hope that some exchange will help them find a better treatment, manage their condition, or improve overall health.