Recently a healthcare organization was fined $850,000 for HIPAA violations. At the top of the list of non-compliant activities was the failure of the organization to conduct a thorough risk analysis of all of its ePHI (electronic protected health information.) The HIPAA rule 164.308(a)(1)(ii)(A) states that: “Risk analysis requires the covered entity conduct an accurate and thorough assessment of the potential risk and vulnerabilities of the confidential, integrity, and availability of electronic protected health information held by the covered entity.”
In order to conduct a thorough risk analysis the organization must identify where all of the ePHI is processed, stored, or transmitted. In this case the organization lost a laptop used to operate and produce images for a CT scanner. More and more of the medical devices used today to connect to the hospital network are either wired or wirelessly connected to receive and send information to the HER (health electronic report.) It is not surprising that these devices contain ePHI. Unfortunately, these devices are often overlooked when conducting the risk analysis leaving the organization with the potential for a HIPAA violation.
This particular incident shows the importance of including ‘all’ medical devices when conducting the risk analysis. Organizations should take a serious look at their medical devices and determine which ones contain ePHI, identify the risks and vulnerabilities. Then, where possible, find solutions to mitigate these vulnerabilities. Any risk identified and not mitigated must be accepted by the organization.
Conducting a thorough risk analysis that includes medical devices will not only satisfy the HIPAA rule, it will provide the basis for securing all of the organization’s ePHI. HIPAA was created for the protection of patients…and medical organizations would be wise to closely adhere to the rules that apply or face the wrath of the federal government.
If you love our blogs you will love receiving them daily…. join us on Facebook and Twitter!
James L. Angle
Regional Information Security Officer