Health care providers have been called out for having relatively lackluster security controls in place throughout the past several years, while Health Information Portability and Accountability Act violations have increased as well. Although it might seem as though retailers, payment processors and financial service providers are among the most at-risk entities when it comes to cybercrime, experts continue to assert that medical organizations are increasingly targeted by sophisticated attackers.
HIPAA email, compliant data management strategies and encryption standards are just a few of the more critical aspects of regulatory oversight in the industry today, but organizations must take a few steps beyond simple adherence to state and federal statutes to ensure the integrity of patient records. After all, risk and threats proliferate far more quickly than it takes the average legislature to pass a new law, and this means health care providers must take the initiative and move toward stronger, autonomous protection against breach.
The price of violating HIPAA is extremely high, up to $1.5 million a year for certain types of incidents, while the damage associated with a major data breach that compromises patient records can be far higher. From damaged reputations and fines to direct financial losses associated with the recovery from a breach, the price of poor protection will always larger than the investment level needed to more adequately defend records from cybercriminals and other threats.
Florida unveils updated standards
Alison Diana, writing for InformationWeek, recently reported that lawmakers in the Sunshine State passed the Florida Information Protection Act of 2014 that more stringently covers the notification activities of victimized organizations in virtually every industry - not just health care. The author explained that the law should motivate all types of organizations to rethink their notification and security standards, as it involves much higher fines for noncompliance.
For one, any entity that is struck by a data breach will have a maximum of 30 days to notify any individuals who might have been impacted, as well as the Florida Department of Legal Affairs. Diana pointed out that noncompliance with this statute can lead to significant fines, with the first 30 days following the allotted time period costing $30,000 and each subsequent day thereafter leading to a $50,000 penalty.
In short, firms that do not swiftly identify breaches and notify the necessary individuals will be at risk of experiencing significant financial losses. Now, while FIPA covers all types of organizations, Diana noted that health care providers might run into the most complex challenges when trying to oblige the new statute.
She reached out to Carlton Fields Jorden Burt law partner Jennifer Christianson regarding the risks of noncompliance with HIPAA and FIPA.
"Before, the definition of breach meant it was unlawful and unauthorized. Now it's just unauthorized," Christianson told Diana. "The statute now requires a notification to the Attorney General for breaches, which is a big change. It requires consultation with local law enforcement; before, it was optional. If you believe notice to affected individuals is not required, you will have to go the extra step of consulting with relevant federal, state, or local agencies. You will have to document that for five years."
Staying ahead of the curve
Health care providers can often get a big, positive jump in the right direction by leveraging proven and reliable solutions that provide email encryption and data center services. As HIPAA can be a highly complex piece of legislation to follow, partnering with a firm that specializes in health care compliance and security might be the best choice when looking for a third-party service provider.