• Hospital Pays Ransom

  • Each month, the headlines read; “Hospital Pays Ransom”, “Provider Group Reports Cyber-Attack”. Breaches, cyber-attacks, Ransomware effecting healthcare denominates the daily news.

    Twenty years ago the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress which included five titles.  Congress mandated The Department of Health and Human Services (HHS) to draft regulations aiming to increase the efficiency of the healthcare system by creating standards.

    The Administrative Simplification, known as Title II, has five provisions: The Privacy Rule, Transactions and Code Sets Rule, The Security Rule, Unique Identifiers Rule, and Enforcement Rule. Any organization who transmits health care data electronically such as covered entities, health plans, health care clearinghouses, or billing services and community health information systems, and health care providers must implement safeguards and adhere to the HIPAA regulations.

    Has this twenty-year-old law kept pace with the ever evolving, growing and changing world of the internet?  Has the original intent of HIPAA kept pace or is healthcare and HIPAA at a crossroads?

    I would argue that HIPAA has not kept pace. This is demonstrated by reviewing the history of the ever changing and evolving world of the internet. Facebook went online in 2004 and in a short ten years it had 400 million active users. In 2014, global internet users reached three billion.

    If the bill sponsors, Kassebaum and Kennedy, could have anticipated within twenty years there would be over three billion internet users, the regulatory approach of HIPAA may have changed.

    Congress expressed concern with the state of cybersecurity within healthcare by passing the Cybersecurity Act of 2015. The Act calls for efforts by HHS to improve the state of cybersecurity within healthcare and have them consistent with HIPAA.  

    Does focusing on the security of PHI address our current state of cyber threats?  Does a compliance approach to healthcare create the framework needed for cybersecurity within a healthcare organization?

    Cybersecurity is a full range of risk management processes, while HIPAA was drafted within a regulatory approach.

    Forward thinking healthcare organizations are integrating their compliance program and their cybersecurity management program, creating one program that works in conjunction with both their compliance and risk programs.

    Judith is the CEO of JAL Consult and holds the accreditation of Certified HIPAA Professional (CHP). As a consultant, Judith provides guidance for organizations within the HIPAA framework. Judith develops and implements reasonable and appropriate compliance programs, develops employee training programs and participates in compliance presentation and speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult