Site Menu

HIPAA Enforcement Gets Serious

By Jim Hietala
Published 11/18/2008

I missed this a few months ago when it first appeared, but today ran across an article from September in Computerworld that described the penalties levied by DHHS against Providence Health in Seattle for HIPAA violations. The amount they were fined, $100,000, is significant. It's the $25,000 maximum HIPAA fine times four, for the four EPHI loss incidents. The loss incidents had to do with laptops stolen from the organization that housed EPHI.

What is even more significant is the set of actions (3 year Corrective Action Plan is here) that were mandated by DHHS. These include:

- a risk assessment (an annual HIPAA requirement anyways)
- implementing security measures to reduce risks and vulnerabilities
- physical safeguards around offsite storage of EPHI, safeguards addressing transport of EPHI offsite
- encryption of portable devices, encryption of backup media
- physical security controls for portable computers
- workforce training
- monitor reviews of staff at the organization- essentially quarterly audits to ensure the prescribed controls are acually put into practice
- unannounced site visits
- annual reports, and more

It is nice to see DHHS taking HIPAA Security Rule compliance seriously enough to impose these security controls on a healthcare organization that has had issues. I don't think any of these security controls are particularly onerous- really they are best practive sorts of things. Healthcare organizations will treat IT security more seriously in the future, and fund it appropriate to the set of risks, including (now) increased regulatory compliance risk.

Jim

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com