Staying on top of the latest HIPAA developments is crucial for healthcare organizations. HIPAA requires covered entities to implement administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).
The Office for Civil Rights (OCR) enforces HIPAA and has issued guidance on various topics, including the use of encryption, two-factor authentication, and risk analysis.
The OCR has also provided resources for healthcare organizations to help them comply with HIPAA requirements, such as the HIPAA Security Rule and the HIPAA Breach Notification Rule.
Consider reading: Hipaa Omnibus Rule of 2013
Recent Data Breaches
Great Expressions Dental Centers recently paid $2.7 million to resolve a class action lawsuit arising from a 2023 data breach that affected the personal data and protected health information of 1,925,397 people.
Gryphon Healthcare reported a security incident where the files of approximately 400,000 people with protected health information had been accessed by unauthorized individuals.
Omni Family Health confirmed a data breach due to a cyberattack, which may have resulted in the theft of protected health information of its patients and staff.
Broaden your view: Hipaa Why Is It Important
CorrectCare Integrated Health settled a class action lawsuit associated with a 2022 data breach impacting approximately 600,000 individuals, costing them $6.49 million.
HealthEquity reported a data breach affecting the personal identifiable information of 4.2 million individuals.
A MOVEit hack on Wisconsin Physicians Service impacted 3.1 million individuals, making it one of the largest data breaches in recent times.
A ransomware attack on Young Consulting compromised the medical insurance data of 954,177 persons, highlighting the importance of robust cybersecurity measures.
Intriguing read: A Breach under Hipaa
Ransomware and Cybersecurity
Ransomware attacks on healthcare organizations continue to rise, even as incidents in other industries have declined.
The State of Ransomware in Healthcare 2024 report by Sophos revealed that across all sectors, the percentage of organizations reporting a ransomware attack increased.
In 2020 to 2023, OCR received over 50 large breach reports involving over 1,000,000 individuals, attributable to stolen equipment and devices containing ePHI.
These breaches involved equipment and devices such as workstations, servers, laptops, external hard drives, backup devices, flash drives, smartphones, and medical devices.
The HHS Cybersecurity Newsletter emphasizes the importance of implementing proper physical safeguards, including facility access controls, to prevent unauthorized access to ePHI.
Facility access controls are essential for HIPAA Security Rule compliance, and regulated entities must ensure they have proper physical safeguards in place to deter and prevent unauthorized access.
Here are the four implementation specifications for Facility Access Controls:
- Contingency Operations: Establish a contingency plan to respond to an emergency or other occurrence that damages systems containing ePHI.
- Facility Security Plan: Establish policies and procedures to protect facilities and equipment from unauthorized physical access, tampering, and theft.
- Access Control and Validation Procedures: Control and validate access to facilities based on an individual’s role or function, including visitor control and access to software for testing and revisions.
- Maintenance Records: Establish policies and procedures to document information and retain records about repairs and modifications made to the physical components of a facility related to security.
Frequently Asked Questions
What are the HIPAA rules for emails?
To avoid HIPAA violations, emails from healthcare workers must only contain patient health information for permitted purposes and not include patient names or identifiable data. Emails that include PHI must be secure and comply with HIPAA regulations to prevent unauthorized disclosure.
What is the new HIPAA rule in 2024?
The 2024 HIPAA rule, also known as the "2024 Privacy Rule", strengthens protections for sensitive reproductive health care information. This rule aims to provide essential peace of mind for individuals by setting minimum protections for their personal health data.
Is HIPAA outdated?
According to Harvard Law School, HIPAA is considered outdated and inadequate to address modern privacy concerns, particularly those related to AI. This raises questions about its effectiveness in protecting sensitive health information.
Sources
- https://www.ama-assn.org/practice-management/hipaa
- https://www.techtarget.com/healthtechsecurity/resources/HIPAA-compliance-and-regulation
- https://www.compliancejunction.com/category/hipaa-updates/
- https://www.nfp.com/insights/hhs-cybersecurity-newsletter-covers-hipaa-access-controls/
- https://www.linkedin.com/posts/sarahbadahman_the-trek-a-hipaa-compliance-newsletter-from-activity-7252395377989976065-ejY4
Featured Images: pexels.com
