The HIPAA Security Rule is an extension of the HIPAA Privacy Rule into electronic patient information. This includes information that may be stored in:
- EHR Systems
- Practice Management Systems
- Digital X Ray Systems
- Digital Orthotic Scanners
- And any other patient information that may be stored in a computer.
This includes Cloud based systems. YOU are responsible for the privacy and security of all of your data even if you are using a cloud based EHR or Practice Management System.
You are required by law to complete a thorough analysis of the security of ALL of your digital records, whether they are on computers in your office or on computers in the cloud. In fact if your cloud server has a breach, it is you who will be held responsible.
Based upon your analysis, you need to develop a plan to properly protect your data. This is your Risk Mitigation Plan.
You must review and update your Risk Analysis and Risk Mitigation Plan on a regular basis.
If you have a HIPAA Breach and you have not kept your Risk Analysis and Risk Mitigation Plan up to date the government is REQUIRED to fine you.
Some HIPAA fines and settlements have been in the millions of dollars.
If you have a HIPAA Breach, and your Risk Analysis and Risk Mitigation plan are up to date, and you remediate the breach within 30 days of discovery the government is PROHIBITED from fining you.
Sign up for the TLD Systems HIPAA Program and put your practice in a position to avoid fines related to a HIPAA Breach
Recent HIPAA Breaches
Here is a report of recent HIPAA Breaches. When you follow the TLD Systems HIPAA program you can avoid many of these breaches and the fines and costs associated with the breach.
Who was Breached?
June 2019 : Both Quest and Labcorb experience HIPAA Breaches of 12 an 7.7 million patients respectively
The billing / collection agency American Medical Collection Agency (AMCA) that services both Quest and Labcorp had a security problem with their website. The website was broken into and patient information was obtained.
Even though the breach occurred at AMCA the data belonged to Quest and Labcorp. AMCA was performing a service for the labs and is therefore a Business Associate. When a breach occurs at a Business Associate, the doctor (or in this case the lab) is ultimately responsible for the breach.
- Make sure that you have a Business Associate Agreement in place with all organizations that you share patient information with. This is your ONLY protection and it is required by law.
- Make sure you have at least 1 million dollars of Cybersecurity Insurance. Even if you think you can not have a breach, if your business associate has a breach you may be looking at huge costs.