Kroll Fraud Solutions Blog – A Dialogue on Data Security

Flu season may be over, but for the health care industry, a more troublesome and persistent threat is just warming up. Regulatory fever, a common side effect of an ailing economy, is now nearly in full swing. Beginning with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, ensuring privacy and security of patient information in the health care industry has been a primary concern for legislators over the past decade and a half. The HIPAA Privacy Rule extends federal protection to personal health information held by covered entities, and is fulfilled by the Security Rule, which prescribes the use of security safeguards to ensure confidentiality is maintained.[1] While HIPAA was a significant step forward in the security of personal health information management, two new regulations are raising the bar even higher in an effort to integrate and benefit from advancements in information technology.

If your healthcare facility were to have a data breach tomorrow, how would you go about notifying affected individuals? More importantly, how would you do it in a way that satisfies the HITECH requirements?

The answer isn’t easy. Even without HITECH, notification and subsequent response can take an alarming toll on the finances and resources of an organization.

The year 2009 closes with an almost audible gasp of air, as we take in and hold our collective breathes for the coming enforcement of HITECH on February 18, 2010 — one year post enactment of the Act itself. Among the measures to be taken, these two are of particular note:

• The requirement for Health and Human Services (HHS) to begin conducting mandatory audits, and
• Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.