The Health Insurance Portability and Accountability Act (HIPAA) has big consequences for organizations of all sizes. Companies and institutions that don’t guard employees’ healthcare data may be subject to large fines, patient attrition, brand damage, and lawsuits. For security professionals, a big breach of PHI (personal health information) can become a fast track to a short career.
This situation has become critical because organizations are retaining more healthcare records than ever, and this data presents an appetizing target to cyber criminals. This makes the need to understand and comply with HIPAA requirements even more urgent. A new white paper,
“Protecting HIPAA Compliance in an Age of Advanced, Targeted Cyber Threats,” outlines what your organization needs to know about HIPAA privacy and security with information that can help ensure your organization stays compliant. Here are some important factors to consider:
- HIPAA isn’t just health insurance records. Data such as employee social security numbers, addresses, and phone numbers are also classified under HIPAA. If your company is hacked (or a laptop with employee information is stolen), there could be serious consequences for your organization.
- There’s a huge black market on the darknet for what’s called protected health information (PHI). PHI can be sold, allowing an identity thief to either go to the hospital under a fraudulent name or, more commonly, file a fake tax return using someone else’s stolen information.
- Reporting HIPAA breaches is mandatory — if you don’t let the government know a breach happened, your organization is on the hook for even more fines.
- A strong cybersecurity defense in your organization, combined with proactively protecting employee data, can sharply reduce the risks of a HIPAA violation.
HIPAA requirements. HIPAA regulations define 11 different “protected items” in health insurance records (per the safe-harbor method of de-identification). These protected items include employee or member names, addresses, driver’s license numbers, medical record numbers, diagnoses, drug information, prescriptions, treatments and more. HIPAA also calls for these records to have portability — if an organization switches to a new system, the data must be able to migrate.