[ Wednesday, March 16, 2011 ]
Interesting Article from Health Management Technology:
Phil Neray points out
how healthcare information is vulnerable, and how most healthcare privacy and security folks are concerned about firewalls and improper access, rather than focusing on the damage that "trusted insiders" can do. It's a good point, but misses a bigger one: all the big HIPAA breaches, and everything that's brought a fine to a covered entity so far, have been improper access issues like lost laptops. There haven't been any "trusted insider" data thefts, or at least not too many, and when those occur, the thieves, rather than the covered entity, pay the price.
Ultimately, Phil may be right: covered entities need to keep an eye on insiders to make sure they aren't "in the till" from an information technology standpoint. But the bigger risk is still data loss. Any covered entity MUST do occasional random audits of access; you've got to review your audit trails. Even if the staff isn't stealing from the data, you still must make sure they aren't snooping or otherwise violating your access policies.
So, if a covered entity is doing HIPAA right, they may not be focusing like a bank on insiders doing bad stuff, but they're still going to notice it with random audits, and they should be focused more on the data loss/data theft issues like stolen laptops and server drives. If you've got a rogue employee doing bad, OCR probably won't punish you, but if you allow your staff to take unencrypted data on the subway, they will.
Jeff [12:06 AM]
Blogger: HIPAA Blog - Edit your Template