A short while ago, someone stole the medical records for Michael Schumacher, the severely injured Formula One race car driver, and put them up for sale on the Internet for 60,000 Swiss francs. So far, no tabloid has picked them up. I’m not sure what they would pay for them if they did, but the seller must have been hoping for a big payday because the fine for using a person’s health information for personal gain in this country can run as high as $250,000 and imprisonment for up to 10 years. Considering, the Swiss Federal Data Protection Act of 1992 states that such acts, “shall be punishable on application for prosecution by a term of detention or by fine.” I am sure the Swiss take such infractions just as seriously as we do.
Aside from minor family celebrity for my annual 4th of July picnic, I doubt I would ever face Michael’s problem. So, curious, I did a little homework on what HIPAA is really there for.
It turns out that the fear of having personal medical information revealed can have a significant impact on health care. That fear translates into a reluctance to disclose important health issues to doctors. In one study I read, even the homeless refuse to provide complete information if they fear that information will be made public and their concerns over higher health care premiums, employer reactions, and peer criticism are generally a lot lower than ours.
But this really caught my eye.
The Cost of HIPAA HITECH Settlements
The Health Insurance Portability and Accountability Act along with the Health Information Technology for Economic and Clinical Health Act (HIPAA HITECH) establish our national standards for the handling of Protected Health Information (PHI). In May, New York and Presbyterian Hospital and Columbia University incurred the largest HIPAA Settlement to date–$4.8 million. Bad for them, because an individual complained and revealed the breach after finding the medical records of his deceased partner on the Internet. What? There’s no way I want people to be able to Google my health care records.
Here’s where it gets particularly significant for identity and access management operations. According to the Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure, levels of threats to privacy generally fall into the following categories:
- Insiders who make innocent mistakes and cause accidental disclosures
- Insiders who abuse their record access privileges
- Insiders who knowingly access information for spite or for profit
- Vengeful employees and outsiders who attack to access unauthorized information, damage systems, and disrupt operations
HIPAA HITECH Authorization and Access Automation
Authorization for accessing HIPAA HITECH information is based on legitimate positions within the organization. If your system is current, members of your HR organization are best equipped to make access and privilege decisions.
Ultimately, however, your HIPAA HITECH solution should be a combination of prevention and accountability. Even the right people, as I stated earlier, can misuse their privilege for profit, sabotage or just plain vengeance. Automated identity management systems can tell you not only who accessed the information, but when, so appropriate action can be taken.
Unfortunately, many health care breaches still go unreported, industry officials point out. But as I said, the need to have the right software to increase prevention and accountability can make the difference between providing the secure environment patients need and expect, and multimillion dollar settlements with health care and HR organizations like yours when they don’t.
So, it not only looks like there are good reasons to have HIPAA on my side, clearly if you haven’t already, you need to take steps to make sure you’re on the HIPAA HITECH side as well.
Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.