The update expands the number of organizations directly responsible for compliance with HIPAA requirements, making them liable for failure to secure PHI. Instead of just health care providers, those responsible and liable now includes their Business Associates (BA) as well, such as vendors, contractors and consultants they hire, and even subcontractors of BAs, if they handle PHI.
Rachel Seeger, of Health and Human Services (HHS) Office of Civil Rights (OCR), said BAs and subcontractors are now "directly liable" for compliance with HIPAA privacy and security rules, including "Impermissible uses and disclosures (including more than the minimum necessary)."
"We need to 'build security in,' and make the secure way of doing business the way the business people will use by default. I'm not saying effective awareness training has no value but putting too much reliance on it is not a winning strategy."While some experts think security awareness training will lead to fewer breaches, others disagree. Danny Lieberman of Software Associates said "when there is a financial incentive to steal data and you have an insider or partner with access, then you have motivation and means and all you need is opportunity to have a crime."
- Martin Fisher, director of information security, Wellstar Health System
Organizations that want proactive detection of insider privacy breaches are utilizing low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) Can the new HIPAA rule cut PHI breaches? - www.CSOonline, 11/08/2013