By Brain Shrift, HCISPP
Evidence is mounting that the U.S. Department of Health and Human Services is beginning to crack down on medical practitioners who aren’t fully compliant with the HIPAA Security Rule.
That’s potentially bad news for many health care organizations that have taken a less than rigorous approach toward compliance. What does it take to become compliant? First, let’s take a brief look at the rule itself.
The Security Rule’s primary objectives are to ensure the confidentiality, integrity and availability of protected health information (PHI). In plain English, the law was written to ensure adequate safeguards are put in place to ensure patient data is protected from unauthorized access and disclosure, cannot be improperly altered or deleted, and is always accessible when needed.
The HITECH Act of 2009, which required compliance by Sept. 23, 2013, strengthens the civil and criminal enforcement of the Security Rule. The Security Rule has been in force since 2006, but with minimal penalties for non-compliance there was little incentive to make the investment in compliance. With the HITECH Act ushering in penalties up to $1.5 million, noncompliance is a costly risk.