The average cost of a stolen record sells on the dark web for $148, according to Ponemon’s 2018 Cost Of A Data Breach Study.
Compare that to records snatched from the healthcare industry, which fetch higher than any other sector at $408 per record.
However, penalties for violating HIPAA reach into the hundreds of thousands and even the millions, dwarfing these numbers.
Ensure your organization is compliant by completing your annual HIPAA assessment.
HIPAA requires covered entities—healthcare providers and insurers, as well as business associates—to conduct a risk assessment.
“A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards,” says HealthIT.gov. “A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.”
Many covered entities initiate an annual assessment but rarely finish because of its intensive nature.
These entities may consider working with a healthcare IT support partner in order to complete the assessment.
Alternatively, the HHS has provided a wealth of security rule guidance material to assist in HIPAA compliance.
After completing the risk assessment, covered entities can begin to plan for risk management.
The risk management plan should the include “the implementation of security measures to:
In other words, the plan should include a list of known vulnerabilities, which can be updated as those vulnerabilities are mitigated.
A BAA is a business associate agreement.
The HHS describes a business associate as any person or entity outside the workforce of a covered entity, including subcontractors, who can access protected health information.
The agreement helps the business associate understand how to safeguard, use, and disclose PHI.
The final requirement for an annual HIPAA assessment is drafting and updating policies for cybersecurity.
These policies are grouped by the HHS into four domains:
Of course, these policies are only as good as the people that enforce them.
A 2018 MediaPro report found that 78 percent of healthcare workers lacked the skills to handle common privacy and security threats.
HIPAA assessments require considerable effort.
If you follow these four steps, though, you’ll be well on your way to compliance.