Healthcare companies and businesses that do contract work for them may soon be left singing the blues to the tune of an old popular song by The Who. I can hear the new lyrics now: “Too much, Omnibus.” That “too much” could refer to rising penalties for noncompliance with HIPAA requirements under the new Omnibus Final Rule Summary, which went into effect Sept. 23 and has a maximum penalty of $1.5 million per violation.
Here’s why this is important to healthcare companies and organizations that do business with them. The Omnibus Rule eliminates an exception under the previous rule that shielded covered entities from civil penalties stemming from the conduct of their business associates if certain conditions were met. Under the Omnibus Rule, covered entities and business associates are liable for the acts of their respective business associate agents. Simply put, if your business associates encounter a cyber security breach, you can be liable as well.
Who Are You?
The latest updates to the HIPAA regulations under the Omnibus Final Rule states: Business Associate Agreements must be updated to include specific new provisions; however, existing Business Associate Agreements entered before January 25, 2013 that are compliant with the interim rules may operate until the agreement is amended or renewed, or until September 22, 2014, whichever is earlier.
You’d think steep fines would prompt businesses working within the healthcare industry to be more careful with personal identifiable information (names, social security numbers, addresses), yet in the past two months alone there have been numerous news stories about healthcare companies and their business associates that have been responsible for network security breaches. In November Health IT Security reported: “The City of Milwaukee is trying to lay the proverbial hammer down on Dynacare, a clinical laboratory services company that lost a USB flash drive with unencrypted patient data. The data breach, which occurred on October 22, is complicated by the fact that Milwaukee handed the data over to Froedtert Health’s Workforce Health, a public health organization that had contracted with and has an ownership interest in Dynacare.”
Many of the stories regarding healthcare information security breaches have been due to the negligence of staff. The remedy is easy: train employees in the basic rules of HIPAA laws and the steps they need to take in order to protect data. Dell SecureWorks offers OnDemand IT Security Training as well as several other Information Security Awareness Training Solutions that allows organizations to train employees on their own time how HIPAA affects them and their jobs and what they need to do to comply with the regulations. Effective for learners of all three styles—auditory, visual and tactile—the courses present learners with modules that feature sound, pictures and interactive components that force them to submit answers throughout the information security training. If employees get an answer wrong, they must try again and submit the correct answer before they can move on. Each module runs about 25 minutes, allows employees to work at their own speed and bookmarks where they left off if they’re interrupted.
As well as training their employees on HIPAA security, both healthcare organizations and their business associates need to take other network security precautions. They should perform quarterly scans of their networks and website applications, and scan their networks and applications after any changes have been made to either, as each change leaves a network open to new vulnerabilities. At Dell SecureWorks, an IT security professional can perform network and website application scans to identify vulnerabilities in those environments and provide organizations with a detailed analysis of findings and remediation guidance to reduce exposure to cyber threats. Web applications that interface with customers or employees are one of the most popular ways that attackers enter networks. Cyber attackers type code into open fields in the applications, such as the field where it asks for a user’s name or password. If there are vulnerabilities in the applications—and there usually are—attackers can type a string of characters inside those fields and connect to servers and data bases.
Under the new rule, business associates now have a duty to report any network security breaches of personal health information and ensure that any subcontractors for whom they are responsible also agree to the same HIPAA/HITECH legislation if they are in a position in which they might send, receive or maintain personal health information—irrespective of how it is transmitted or stored.
Healthcare organizations will need to monitor themselves and their business associates to ensure they are taking the necessary steps to prevent breaches. Without taking those precautions, you’re gambling $1.5 million, and that is way too much.
Contact an IT security professional at Dell SecureWorks to see how we can help your Healthcare Organization meet HIPAA Compliance and avoid these steep fines.