Eyes now set on hackers who broke into a Virginia Prescription Monitoring Program(PMP) web site deleting over 8 million patient records and over 35 million prescriptionrecords. And to clearly convey the hackers intent, a random note was posted on the web site last week and locked the site with a password. The going price is $10 Million dollars for the return of the healthcare records; and apparently the website is till inaccessible (but taken off line soon after April 30th when discovered). If you recall just over a year ago Express Scripts had a similar healthcare data extortion attack. Also, recall CVS Caremark Corp $2.25 million settlement of federal investigation for not properly disposing patient information; and then having to implement appropriate security for all locations and to have external auditors/assessors evaluate compliance for 3 years. BTW, a persistent trend in situation of non-compliance or the resulting affects and penalties or wrong doing.
Makes you think if the stimulus bill provided enough safeguard for your digital healthcare records. The new rule states notification to people impacted by a breach (though in cases of over 500), strict enforcement and penalties, and authorization of State Attorneys General to place civil action to perpetrators. Further, the recently enacted Health Information Technology for Economic and Clinical Health Act (HITECH) under American Reinvestment and Recovery Act(ARRA) is to hold business associate responsible (where applicable) for complying with HIPAA. As such business associates would be subject to civil and criminal penalties (not solely covered entities) for noncompliance…from security officer appointment to policy, training, and risk assessment implementation. Then again, without the formal guidance issued within HIPAA privacy and security sections, enforceability let along effectiveness is a mere compliance talking point.
On a side note, physicians will now be required to comply with both HIPAA privacy and security rules without additional stimulus aid…and that would pertain to all associates/partners assisting physicians of protected healthcare information. Wonder how these expenses will be passed down…patients perhaps?
Regardless, while HITECH will make mandatory monetary penalties, demonstration/proof ofwillful neglect of compliance duties will be necessary.
So where is all the stimulus dollars going related to this topic? In the neighborhood of $31 billion in the next 5 years will go to healthcare infrastructure which will largely flow from Medicare and Medicaid incentives to both physicians and hospitals for safeguarding electronic health records (EHR). So as you’re read articles indicating HIPAA’s new teeth on security; however, its bit might not be as tight.
Tune into wikileaks and National Institute of Health and ARRA
No comments:
Post a Comment