Reasons why HIPAA Privacy breach happens….
In our daily lives, following things have happened to us:
- Automobile issues – Car brakes, car engines malfunction, etc.
- Home/House issues – Washer/dryer not working, HVAC malfunction etc.
- Cable/Internet Issues – wi-fi router, strength of the wi-fi, etc.
If the following things happen, what do we do? We call the appropriate person who specializes in the issue(s) and get it repaired. In our daily life, things do not get fixed by itself, so we ask for help to get it resolved. But in healthcare; things do happen and seldom do we ask for help to get it restored, for e.g. HIPAA Privacy Breach. We acknowledge the cause(s) of the HIPAA Privacy breach for e.g.:
- Lack of monitoring – patient records
- Inappropriate activity
- Releasing medical records
- Accounting for disclosures
- Theft of devices.
And at times, we take a different approach to resolving or providing a solution to the HIPAA Privacy breach. Like most provider(s) organization(s) our approach falls into the following four categories:
If your organization is Quadrant III Or Quadrant IV the reasons cited are lack of tools, lack of resources, corporate priority is cyber security not compliance, etc.
It’s easy to acknowledge the causes of the breach (Quadrant II and III), but it is difficult to gauge whether they can be fixed. If the organization is in Quadrant I we approach compliance in the same manner as Cyber Security solutions (Let’s do this as other organizations are doing this, for e.g. – Encryption). To comply, the management needs to understand the market maturity model (EMC/RSA maturity model – based on ISO):
- Legacy Risk : Security is necessary evil
- Compliance Risk: Security is compliance
- Asset Risk: Proactive, assessment driven
- Business Risk: Security fully embedded at the work flow level.
The more the providers knows about compliance and cyber security the more questions there will be. And the issue gets ignored. So, if a HIPAA breach happens, the blame gets higher up in the organization, where a false sense of optimism lies. Only, when the organization understands the Asset/Business Risk, the organization will be able to answer their own security/compliance model in terms of:
- Compliance requirements ( HIPAA, Federal & State regulations)
- Breach security rule
- Business Associates Requirements
- HIPAA security rule
- HIPAA Enforcement ( < 500 records ) penalties.
At MindLeaf (www.mindleaf.com) we have been protecting patient privacy by ensuring the providers have the right procedures, policies and tools to monitor privacy. MindLeaf and Intel are offering complementary breach security assessment for healthcare organizations (www.mindleaf.com/breachsecurityprogram.html).