Office for Civil Rights Director Leon Rodriguez presented at the HIMSS13 conference Monday morning. His message was very clear. Organizations that make an effort to protect patient information by the use of encryption and organizations that respond and learn from breaches will be much better off. Organization’s “willful neglect” of the HIPAA regulations and failure to protect patient information will be punished and fined.
Respond and Learn from Breaches
“The real purpose of breach notification is for covered entities to identify the vulnerabilities that resulted in the breach, (and) remedy those vulnerabilities in an immediate and decisive manner,” said Rodriguez, “And also for us to learn from those breach reports where those vulnerabilities are.”
One of the most foolish things to do, he said, is to forgo encryption. And ultimately, Rodriguez added, it’s more cost effective for a covered entity to get their HIPAA house in order before a breach than to risk the enforcement following one.
Perform a Risk Assessment
Rodriguez said, a number of diverse entities were found to have an ineffective risk analysis. “We found there were entities that encrypted and entities that did nothing at all.”
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information. A Risk Assessment will identify the appropriate use of encryption. Download our free guide to better understand the HIPAA Risk Assessment process.
Encryption is inexpensive and easy to implement. Find our more simple and easy tips to protect patient information before a breach occurs!