HIPAA rule makes you personally liable

August 8, 2013

Under the rule, individuals associated with security mishaps will become personally liable for their organization’s transgressions

Hospitals and health insurers have access to some of consumers’ most valuable information-from personal health records to Social Security numbers. Failing to properly secure that data comes with a cost. For example, WellPoint was recently fined $1.7 million for exposing over 600,000 individuals’ names, Social Security numbers, addresses and other health information online-a punishable offense under new HIPAA regulations.

Beginning September 23, when the HIPAA Omnibus Rule goes into effect, the individuals associated with such cases will become personally liable for their organization’s transgressions.

Beyond intrusive data leaks, the healthcare industry is also starting to contend with the controversy of data privacy. Given the volume of confidential information on file at various healthcare organizations, the smallest misstep-whether accidental or otherwise- in protecting that data can prove to be incredibly costly.

An increasingly common example is mining patient data for targeted marketing purposes. One of the most publicized incidences was Target’s now infamous posting of tailored maternity ads. The content was chosen based on data derived from a user’s past purchases and web history.

The more problematic issue for healthcare organizations, however, is third parties’ potential use of this personal information not so much for marketing but to discriminate against individuals based on medical history.

Recent security mishaps and the growing potential for more serious infractions have led to the impending, sweeping modifications to the HIPAA Privacy, Security and Enforcement Rules. Now more than ever, it is the responsibility of healthcare organizations’ leadership to implement proper compliance support to adapt to the changing regulatory landscape. The two pillars of compliance to prioritize now are IT policy and procedure, as well as employee training.

As the healthcare industry becomes more reliant on electronic medical records and digital platforms, the IT department will play a more dominant role in maintaining HIPAA compliance. One of the most important IT steps to becoming compliant is evaluating current devices, software and security safeguards to ensure that all endpoints are defended against external misbehavior or employee error. As evidenced in the WellPoint case, the cost of IT noncompliance can be crippling.

Employee training will also become desperately important by September 23 when business associates and contractors become personally liable for any mishandling of information. Taking a proactive, preventive stance to educating your employees on the latest regulatory guidelines will further mitigate the risk of exposing client information and legal action.

Establishing written and enforceable processes for preventing, addressing and remediating a data breach will better protect your staff, your customers and your overall business health.

The regulatory environment surrounding consumer and patient information is evolving fast. Healthcare organizations across the industry should plan accordingly not only for legal purposes, but to guarantee sustained internal and external success for the long-term.
 

Will Hinde is a healthcare practice director with management and technology consulting firm West Monroe Partners.