The Federal Government has recently revamped the HIPAA (Heath Insurance Portability and Accountability Act), and made some very clear statements – if you are a health care organization and you don’t rigorously protect your patients’ personal health information, you could pay up to $1.5 million in fines.
As part of the Heath Information Technology for Economic and Clinical Health (HITECH) Act, passed last year as an addition to the 2009 American Recovery and Reinvestment Act, all Protected Health Information (PHI) must be secured, and only transmitted electronically if it is unreadable by a 3rd party.
Email is a high-volume communications channel. Even a small percentage of unsecured PHI quickly mounts to a large risk. Unencrypted email containing sensitive data compromises patient privacy. Under HIPAA’s new rules, an organization will be held accountable, with repercussions to its reputation and its bottom line. The greater the volume of email, the higher the risk.
Unfortunately, up to this point, the message didn’t seem to be getting through. In a 2008 security survey for the Healthcare Information and Management Systems Society (HIMSS), sponsored by Booz Allen Hamilton, little more than half of those polled said they were encrypting email. In 2009, a follow-up study for HIMSS conducted by Symantec showed only a small increase in the number that bothered to encrypt data in motion—perplexing, given the enhanced enforcement and stiffer penalties meted out under the new HIPAA laws.
Penalties for Non-Compliance
According to the HITECH Act, fines imposed can range from $100 per violation to $1.5 million maximum per calendar year. Monetary fines are based on tiers, with each tier punishing violations different level of capability by the offender. The tier of the penalty will be decided based on the nature and the extent of the violation and the nature and the extent of the harm resulting from the violation.
Getting in compliance
In an effort to help our healthcare and small business clients stay compliant with the new regulations, Skoda Minotti Technology Services now offers compliant e-mail encryption services, sold on a per-mailbox basis. encryptIT, a new addition to our outsourceIT suite, allows organizations to automate the encryption of their outgoing email either on-demand or by pre-defined policies. We have partnered with Zix Corp to provide this service, the leader in compliance email encryption services.
To learn more about encryptIT, contact Brian Rosenfelt in Skoda Minotti's Technology Partners by calling 440-449-6800.
Click here to receive a free compliance review.