Hospice of North Idaho, with its staff of four, found out the hard way that it had gone astray of guidelines when it was hit in early 2013 with a $50,000 fine under the Health Insurance Portability and Accountability Act (HIPAA). This provider lacked procedures for handling security of mobile devices, so when it reported the theft of a laptop from a car containing data on 441 patients, the U.S. Department of Health and Human Services (HHS), which oversees HIPAA compliance, began its investigation. It was the first provider with fewer than 500 patients to be fined under HIPAA, which was first rolled out in 1996.
“This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information”, said Leon Rodriguez, director of the HHS Office for Civil Rights (full story).
The new rules expand the types of entities that are now on the hook for noncompliance fines. Now, “covered entities” (defined as both healthcare providers and insurers) and “business associates” (such as data storage providers and even web developers) are all responsible for protecting patient information.
The government’s ramped-up efforts to enforce compliance with the new rules means regulators will be targeting smaller providers, like the one in Idaho, that may not have the resources to devote to protecting themselves as they focus on what should be their most important goal: keeping people healthy. This is where companies like Matterform come in.
Solutions for Small Providers
Matterform assesses a provider’s entire line of business to identify any security weaknesses. Our audits catch items that are not in line with guidelines provided by HHS, all of which we sum up in a written plan for providers to follow. Once we have a plan, we schedule remediation according to risk priorities and the client’s budget.
The worst thing healthcare providers and their tech associates can do is fail to act immediately to defuse this regulatory powder keg. A vulnerability audit and written remediation plan is a critical first step. It’s the first thing federal auditors will look for and they’ll notice if it’s missing.