The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

SecurityMetrics Reports on HIPAA Security Rule Compliance

Posted By on Oct 16, 2015

What steps are U.S healthcare organizations taking to ensure HIPAA Security Rule compliance? How well are HIPAA rules understood? Are healthcare providers actually now compliant with HIPAA Rules?

These questions will naturally be answered when the Office for Civil Rights compliance audit program recommences early in 2016. In the meantime, SecurityMetrics – a Utah-based merchant data security and compliance company – decided to get some answers now and conducted a survey of health IT professionals to gain a better understanding of the general state of HIPAA compliance among healthcare organizations.

Attitudes on HIPAA-Compliance Probed

Security Metrics compiled a survey to probe attitudes on common patient health data protection issues, network security measures used to safeguard data, and other security issues such as Wi-Fi encryption. The aim was to gain a better understanding of the efforts U.S healthcare organizations are making to comply with the HIPAA Security Rule.

Over 300 healthcare professionals took part in the survey and were asked over 40 questions relating to data security and patient privacy issues, as well as being asked to rate their own organization’s compliance efforts. The company’s report provides some insight into the general state of HIPAA compliance. Some of the key findings of the report have been listed below:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • 10% of respondents indicated their organization did not plan to achieve full HIPAA-compliance status
  • 20% of C-Suite staff did not plan to follow all HIPAA Regulations
  • 77% of Organizations provided Security Rule and Privacy Rule training to staff, yet, to 10% said their staff received no HIPAA training whatsoever.
  • 60% of compliance officers and health IT professionals said their organization had developed a Risk Management Plan
  • Only 63% of healthcare organizations were currently encrypting Protected Health Information stored on work devices
  • Confidence in compliance efforts was high, with 80% believing their organization was HIPAA-compliant, although only 76% of risk and compliance officers believed that their organization would actually pass an OCR HIPAA-compliance audit.
  • Most of the IT professionals’ and compliance officers’ answers revealed their organizations were not actually fully compliant with all aspects of the HIPAA Security Rule.

According to SecurityMetrics HIPAA Security Analyst, Brand Barney, “The healthcare industry is significantly less secure than executives think.”

Fortunately, with at least two and a half months to go until the second round of HIPAA-compliance audits start, there is still time for healthcare organizations to address risks and achieve full compliance status. Based on the results of the surveys, a small percentage plan to do very little. For those companies, if they are selected for an audit, they could be in for a rude awakening, and potentially a very costly one. If they escape an audit, the next data breach suffered could still see considerable costs incurred.

What are those costs? SecurityMetrics pointed out that in addition to an OCR HIPAA fine of up to $1.5 million, per violation category, per year, the costs that could potentially be incurred include:

  • State attorneys general fines in the region of $150,000-$6.8 million
  • Federal Trade Commission Fines of $16,000 per violation
  • Credit monitoring services for data breach victims at $10 per individual
  • Approximately $1,000 per breach victim if a class-action data breach lawsuit is successful
  • Loss of patients – Which could be as high as 40%

 

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist