Loading ...
One question I love asking coverd entities, “What and when was the latest change made to HIPAA?” I ask this for two reasons, One: to see what they know and how up to date they are, and Two: because HIPAA always changes. In a previous post I have already indicated the change in 2008 from Complaint driven to Audit driven. There were other changes in 2008. As of November 1, 2008, Identity Theft Red Flag Regulations, as defined by FACTA (Fair and Accurate Credit Transactions Act) are required by covered entities.
If a covered entity offers services on a credit basis, that is provide services first and bill for them later, they must ensure that they are protecting the individual’s credit (financial) information, and that the covered entity is not a potential source for Identity Theft. STOP!! for a minute! ! !
Why, would DHHS (Department of Heath and Human Services) insist that covered entities need to do more, to ensure they are not the cause of identity theft? This is in fact the issue behind the November 2008 change. In other words, DHHS is either admitting covered entities are not HIPAA compliant, or they are admitting HIPAA compliance does not protect patient information. Now ask yourself, how many medical information systems separate, process and store the medical information of an individual and the billing or costs incurred while treating the individual. Very near None, Zero, Nil. The billing and costs incurred are directly linked to the medical information, and stored in the same database.
Once Mr. Evil has gained access to the database running the system, they will only go and read the EPHI fields or tables and not the financial information. Come on, get real. Once Mr. Evil has gained access to the database he is going to read everything especially the financial information.
So really the November 2008 changes are there to reinforce and reaffirm the heavy need for administrative controls and oversight. Shining the light that HIPAA is not an IT or technical problem but an administrative one. Don’t get me wrong the IT or technical aspects can make or break compliance, Yes. However, the IT or technical aspects are not “THE SOLUTION” to HIPAA compliance.
As part of the Identity Theft Red Flag Regulation changes, covered entities are now going to have to focus more attention on breach notification. This is NOT to say they did not have to in the past. FACTA is just a little more particular about breach notifications than HIPAA was. When you look at the statistical cost of a data breach, on average it is $182 per record. Simply, lose 26,500 records (average) and this could cost $4.8 Million dollars.
(data taken from 2006 Ponemon Breach Survey). 54% is Customer Opportunity Costs, which includes, lost customer revenue, lost customer satisfaction, lost customer trust, etc..
If you read the Survey further 55% is spent on marketing, 11% on legal and audit costs, 34% on Customer support and 0% on IT security? Interesting to say the least.
Is Data Breach Notification Costs in your Budget OR in your Risk Assessment ???
