Report Faults Security Efforts for Patient Information

As ransomware and cyber attacks continue to target patient information of hospitals and other healthcare organizations at an alarming rate, the pressure is mounting for facility managers and IT professionals to take adequate measures to protect the private information of patients. A new report suggests many have a long way to go in achieving compliance with HIPPA requirements.

The Office for Civil Rights (OCR) at the U.S. Health and Human Service recently released a HIPAA Audits Industry Report that could be quite helpful to covered entities and business associates for tackling HIPAA compliance as we enter the new year, according to The National Law Review.  The report examines OCR’s findings from HIPAA audits conducted during 2016-2017 of 166 healthcare providers and 41 business associates. The audits examined mechanisms for compliance, identified promising practices for protecting the privacy and security for health information, and discovered vulnerabilities that might have been overlooked by OCR enforcement activity. Among the findings:

• Approximately 70 percent of covered entities used breach-notification letters that failed to satisfy regulatory content requirements, such as a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm.

• Covered entities struggled to implement requirements for risk analysis and risk management. The report highlighted that only 14 percent of audited covered entities “substantially fulfilled” responsibilities regarding safeguarding of ePHI through risk analysis mechanisms, and only 6 percent adequately fulfilled requirements to implement appropriate risk-management mechanisms to reduce risks and vulnerabilities to a reasonable and appropriate level.

Click here to read the article.