In respect to check out the data security, the US Department of Health and Human Services’s (HHS) audit’s of Piedmont Hospital in Atlanta open a debate over federal government’s willingness to enforce HIPAA’s security and privacy rules.
As on the footsteps of Piedmont audit, approximately, after 18 months a severe agreement was signed between HHS and Seattle-based Providence Health & Service provider. After the audit of health service provider as conducted by the enforcement agency, under the provisions of the agreement Providence on July 18th agreed to follow a corrective action plan (CAP) and pay $100, 000 to settle down ‘potential violations’ of Health Insurance Portability Act for the security of electronic patient data.
The loss or theft of laptops, optical discs and backup tapes with unencrypted medical record of more than 386, 000 Provident Patients led the HHS to look into the issue of data security as under the provisions of HIPAA. Under the provisions of CAP, Providence will have to restructure its security policies including physical protections for portable devices for networking and storage of backup media.
In the measures for security of data, it is also agreed that there should be an encryption and password protection scheme and audit of the company operations at all the five states, where it is running its operation. This clause is also provided under the scheme that Providence’s chief security officer has to personally validate whether all the policies are being run properly. Under CAP, Providence Health & Services agreed to follow steps:
“Revise policies and procedures for safeguarding patient data while it is stored at or being transported to off-site facilities.
* Train all workers on security policies and submit proof to HHS that the training has been completed.
* Update policies as needed, but at least on an annual basis.
* Ensure that a security risk assessment and management plan and a data breach notification policy are in place.
* Conduct reviews that include unannounced audits, spot checks and site visits at company facilities.”
This action has given clear message to other service provider’s that it is time to get prepared and follow the instructions as mentioned in the HIPAA act for medical data security.