Houston-Healthcare

A sound information security plan covers a multitude of best practices. However, three areas are critical to an effective program: risk analysis and mitigation, effective handling of breach notifications, and sound compliance practices. Nationally-recognized experts will provide an update on best practices across these three important components of an information security program. Risk Analysis (in HIPAA Security Rule parlance) is a fundamental, foundational step for any infosec program... of course, HIPAA Security actual requires both an Evaluation (at 45 CFR 164.308(a)(8)) and the Risk Analysis (at 45 CFR 164.308(a)(1)(ii)(A))

The consequences of data breaches are starting to seriously affect organizations. Many companies do not realize that for them to be complaint, covered entities must implement technical policies and procedures to allow access only to those persons and business associates that absolutely require access (164.312(a)(1)). However, 164.502(d)(2) provides for the uses and disclosures of de-identified information (aka Masked, Obfuscated, Redacted). Health information that meets the requirements for de-identification is considered not to be individually identifiable health information.

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers. “The cost of dealing with the breach was prohibitive” for the company, Impairment Resources said when explaining its decision to file for Chapter 7 bankruptcy protection. That type of bankruptcy is used most often by companies to shut down and sell off what’s left to pay off their debts.

It’s a numbers game when it comes to information security risk management.  The bigger the numbers the harder it is to manage the risk of unauthorized access to protected health information.


Risk Assessment and Management
By “numbers”, we mean the numbers of vulnerabilities that create risk.  For example, in how many locations in an organization does identifiable health information exist and what controls are in place to protect it from unauthorized access?   How many workstations, lap tops, flash drives, servers, network devices, portable devices, smart phones, media, etc. exist in an organization?  How about remote access, wireless access, email accounts?  How about data stored in “the cloud”? The numbers grow when comparing a single practice physician, to an ambulatory clinic to a hospital, to a health system, to an accountable care organization (ACO) and health information exchange (HIE).

281-733-2422 

No matter what size and complexity an organization is, a good starting point is to assess / analyze the potential locations and vulnerabilities of protected health information. This is something that must be done periodically in order to manage change and a service we specialize in. The objective should be to eventually limit the number of locations, lock down the majority of user workstations, and protect media that is vulnerable such as authorized portable devices with security controls including encryption that complies with HITECH / NIST standards. Remember that if lost or stolen protected health information is properly encrypted, there is no breach.  There have been enough breach notifications involving lost or stolen portable devices to give all of us an understanding of the risk level.  At some point, very soon, if not now, a breach due to a lost or stolen unencrypted portable device will be considered willful neglect, and the $$ penalty will be substantial.  Call us for more information on helping your Houston Medical Practice reduce your liability and remain compliant with HIPAA and ADA. We have in-house offerings for Houston Medical Practices that are cost-effective and practical.