HIPAA – Hey we’re not health care, who cares?
About a month ago, I had to go to the emergency room at the local hospital. A few weeks after, I received a letter from the hospital informing me that they had mistakenly given all my patient information to another patient, including all my personal information and social security number. The gist of the letter, was “oops –we’re sorry”. What angered me, it was my responsibility to notify all credit agencies, banks, etc. that I could incur an additional data breach on my accounts because of the hospital’s mistake.
Of course, being a hospital, HIPAA is really big deal. But, what about the impact on other businesses who have nothing to do with healthcare? In the U.S., the federal Health Insurance Portability and Accountability Act (HIPAA), provides protection of Personal Health Information (PHI). As of January, 2013 the law was expanded to include ‘business associates’, typically insurance companies, etc. that often deal with patient records.
A subtle change though, is that any company that creates, receives, maintains, or transmits PHI, which is the majority of companies, must also comply. Enforcement is also being stepped up. The latest Omnibus Final Rulings update to HIPAA and the Health Information Technology for Economic Clinical Health (HITECH), expanded their regulatory scope and added more random audits as well as stiffer penalties, up to $1.5 million for egregious violations. The Omnibus also covers Personally Identifiable Information (PII), which directly impacts all businesses.
Ensuring compliance and protection of PHI or PII, covers a vast array of information and sources. Faxes, emails, scanned content, recorded conversations, are all legally protected. In the US, the National Institute of Standards and Technology includes what would seem to be meaningless information that can be classified as PII, such as a home address, which seems somewhat innocuous as compared to a national identification number.
Will most organizations, outside of health care ever get audited? Most likely not. Although, as we have seen in Target the cost of the data breach was $148 million. Why is the theft of personal information so lucrative? A full identity profile can bring $500 on the black market where a credit card number or social security number can fetch around $1 (Politico).
Organizations shouldn’t fear an audit, they should fear an exposure.