Healthcare in the Age of Data
Cyber Liability for Allied Health Businesses: HIPAA and HITECH Rules

Part 1: An Intro to HIPAA and HITECH Rules

HIPAA and HITECH are the two regulations that govern how healthcare businesses store and transmit patient data. HIPAA New browser window icon. (often misspelled as HIPPA) was first enacted in 1996 and it was later amended with HITECH New browser window icon. in 2009. These laws…

  • Hold healthcare businesses responsible for data breaches.
  • Outline your IT requirements.
  • Require you to contact patients after a breach.
  • Fine businesses that violate data security requirements.

In the second part of this two-part series, we'll go over your HIPAA and HITECH requirements and how to be in compliance (jump to our HIPAA compliance article to learn more). For now, let's look at why medical data is protected and how much a violation / data breach could cost your health business.

Protected Health Information: What Is it and Why Is it Protected?

Protected Health Information: What Is it and Why Is it Protected?

Protected health information (PHI) includes a patient's medical history and payment information, as well as other identifying data (like social security numbers, email addresses, etc.). It's safest to assume that any and all patient data and records will be protected by HIPAA and HITECH.

Why is this data protected? Criminals can break into computers either by hacking or physically stealing a device and use this data to commit fraud, commonly called identity theft.

On the black market, stolen records can sell for $10 apiece — ten times the amount New browser window icon. a stolen credit card can be sold for. Imagine if a hacker were able to break into your computer system. How many patient records do you have? Though it may just be data to you, it's cash for a cyber criminal. One-thousand records could translate to $10,000 on the black market.

Who buys stolen medical data? Hackers sell this data to people who will use it to commit fraud. With stolen data, fraudsters can impersonate a patient and receive free medical treatments, which a patient will be billed for later. Criminals can use this data to apply for loans, open credit cards, and commit other types of identity theft.

By storing data on your networks, you're actually storing highly valuable information that criminals would love to get their hands on. For this reason, lawmakers have established strict HIPAA privacy rules for medical businesses.

How Much Does a HIPAA Violation or Data Breach Cost?

How Much Does a HIPAA Violation or Data Breach Cost?

A healthcare business pays for a data breach in three ways:

  1. Fines levied on your practice by the Department Health and Human Services (i.e., HIPAA fines).
  2. Lawsuits from state attorney generals.
  3. Lawsuits from patients whose data was stolen and used for identity theft.

All of these can be extremely expensive. HIPAA fines are usually levied according to the number of records lost and the severity of the oversight that led to the breach. Here are some recent cases:

  • A $4.8 million fine New browser window icon. for a breach at New York Presbyterian and Columbia University, which exposed 6,800 records on the Internet after a staff member didn't follow proper IT procedure when taking a server offline.
  • A $1.5 million fine New browser window icon. for Blue Cross Blue Shield of Tennessee after 57 hard drives containing PHI were stolen.
  • A $1.2 million fine New browser window icon. for Affinity Health Plan when the company failed to erase the hard drive on a copying machine it returned to a leasing company.

These HIPAA violations highlight just how careful healthcare companies need to be and how costly a data mistake can be. How many businesses would even think to delete the hard drive contents of its photocopier?

Lawsuits can lead to similar million-dollar settlements and judgments. After a recent data breach New browser window icon. at the University of Massachusetts Medical Center, one patient filed a lawsuit seeking $3,000 in damages for each of the 2,400 patients whose records may have been compromised. If the UMass hospital loses the lawsuit, it could end up paying $10 million in lawsuit costs.

Data breaches and HIPAA violations are extremely expensive, which is why healthcare companies need to make sure they are in full compliance with HIPAA and HITECH. In part two of this article, we'll look at what you'll need to do to make sure your medical office complies with these HIPAA laws.

(Part 2): HITECH and HIPAA Compliance

Over the last 20 years, the healthcare industry has seen an astonishing transformation as digital record keeping changed the way patients were treated and billed. One unfortunate side effect of this new technology has been an increased risk of cyber attack or data breach.

In part one of this article, we explained how hackers and thieves steal hospital records to commit identity theft. In fact, hackers target allied health businesses because New browser window icon. hospital data is 10 times more valuable than stolen credit card information.

For this reason, lawmakers enforce strict HITECH New browser window icon. and HIPAA New browser window icon. privacy rules. These laws require you to protect patient data and the Department of Health and Human Safety will fine your business for violations. What do you need to do to be HIPAA compliant? Let's look at the steps your organization needs to take to be compliant.

HITECH and HIPAA Compliance: How to Protect Electronic Health Records

HITECH and HIPAA Compliance: How to Protect Electronic Health Records

Before we get into the specifics of HIPAA compliance, we should explain a few general points about data security and cyber liability. Protecting client data is really about teaching your employees to be vigilant and creating policies to enforce this vigilance. Generally speaking, you should…

  • Document your organization's security requirements.
  • Audit your security practices from time to time.
  • Reinforce these practices with reminders and additional training.
  • Remember that cyber attacks, hacking techniques, and malware change constantly. Your organization needs to be ready to upgrade its hardware and software accordingly.

Keeping those general principals in mind, let's look at the specific strategies you'll need to institute in order to be HIPPA compliant.

  1. Designate a privacy and security officer to be in charge of your company's data security.
  2. Require employees to use secure passwords (a random mix of numbers and letters) to log into their work accounts — if possible use two-factor authentication.
  3. Document security policies in employee handbooks and incorporate them in training.
  4. Review and update your policies at least once a year.
  5. Perform a security audit or hire an outside IT firm to look over your practices.
  6. Make regular backups of business data and have a "business continuity plan" to keep your business running smoothly in the event of an IT disaster or data loss.
  7. Encrypt all PHI (patient health records) / EHR (electronic health records) on laptops, computers, mobile devices, and while being stored or transmitted on public networks and clouds.
  8. Prevent theft of computers, hard drives, laptops, and other devices by physically blocking access to them, securing them to desks, or taking other preventative measures.
  9. Provide a "Notice of Privacy Practices" to patients that explains how you use, transmit, and store their private data (see the HHS guidelines for Notices of Privacy Practices New browser window icon. for more information).
  10. Document and track any disclosures of PHI (e.g., sharing data with payment companies, insurers, other medical service providers, etc.).
  11. Only allow employees whose jobs require access to PHI to have it.
  12. Install IT systems to prevent data breaches, stop malware attacks, and secure your networks (consult with IT professionals about the best ways to do this for a healthcare company of your size).
  13. Require all business associates / contractors / subcontractors to sign a BA agreement New browser window icon. that makes them aware of HITECH and HIPAA guidelines and requires them to be in compliance.
  14. Dispose of paperwork and forms containing private information in secure ways.
  15. Create a data breach response plan, outlining how the organization will contact patients whose data was lost, who will oversee the response, and what outside authorities you'll need to contact.

To make sure you're HIPAA compliant, always check the Department of Health and Human Service's guidelines. On its website, you can find HIPPA rules for covered entities and business associates New browser window icon. and its HIPPA resources for small businesses New browser window icon..

Customer Rating 4.9 out of 5
Read Customer Reviews

Grab-n-Go Information

Free eBook
HIPAA, Social Media, and Technology: A Guide for Mental Health Professionals
Browse eBook
Sample certificates
See a sample Certificate of Liability Insurance, the proof of coverage you need for most contracts.
View Sample
Sample Quotes & Cost Estimates
See what insurance really costs: actual quotes by policy & specialty.
Get Estimates
Ask A Question
Submit your questions about small business insurance and get answers from our experts.
Read Answers