Each month, the headlines read; “Hospital Pays Ransom”, “Provider Group Reports Cyber-Attack”. Breaches, cyber-attacks, Ransomware effecting healthcare denominates the daily news.
Twenty years ago the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress which included five titles. Congress mandated The Department of Health and Human Services (HHS) to draft regulations aiming to increase the efficiency of the healthcare system by creating standards.
The Administrative Simplification, known as Title II, has five provisions: The Privacy Rule, Transactions and Code Sets Rule, The Security Rule, Unique Identifiers Rule, and Enforcement Rule. Any organization who transmits health care data electronically such as covered entities, health plans, health care clearinghouses, or billing services and community health information systems, and health care providers must implement safeguards and adhere to the HIPAA regulations.
Has this twenty-year-old law kept pace with the ever evolving, growing and changing world of the internet? Has the original intent of HIPAA kept pace or is healthcare and HIPAA at a crossroads?
I would argue that HIPAA has not kept pace. This is demonstrated by reviewing the history of the ever changing and evolving world of the internet. Facebook went online in 2004 and in a short ten years it had 400 million active users. In 2014, global internet users reached three billion.
If the bill sponsors, Kassebaum and Kennedy, could have anticipated within twenty years there would be over three billion internet users, the regulatory approach of HIPAA may have changed.
Congress expressed concern with the state of cybersecurity within healthcare by passing the Cybersecurity Act of 2015. The Act calls for efforts by HHS to improve the state of cybersecurity within healthcare and have them consistent with HIPAA.
Does focusing on the security of PHI address our current state of cyber threats? Does a compliance approach to healthcare create the framework needed for cybersecurity within a healthcare organization?
Cybersecurity is a full range of risk management processes, while HIPAA was drafted within a regulatory approach.
Forward thinking healthcare organizations are integrating their compliance program and their cybersecurity management program, creating one program that works in conjunction with both their compliance and risk programs.
Judith is the CEO of JAL Consult and holds the accreditation of Certified HIPAA Professional (CHP). As a consultant, Judith provides guidance for organizations within the HIPAA framework. Judith develops and implements reasonable and appropriate compliance programs, develops employee training programs and participates in compliance presentation and speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.