Compiling the statistics for insider threats to patient privacy is easy. It’s the mitigation of these risks that takes time, strategy, and commitment. According to the January 2017 Protenus Breach Barometer, internal health system employees were responsible for 58.4% of breached patient data during January 2017.
HIPAA isn’t the only privacy, security, and breach notification law in the country. In fact, HIPAA is designed to work with state laws, and in cases where state laws are stricter or prescribe a higher level of privacy or security, HIPAA explicitly directs covered entities and business associates to follow state law. A covered entity or business associate that isn’t in compliance with state privacy, security, and breach notification laws is not in compliance with HIPAA, and is at risk of both federal and state action.
The Office for Civil Rights (OCR) announced its seventh HIPAA violation settlement of 2017, putting the agency well on its way to topping last year’s record-setting number of HIPAA settlements.
The Substance Abuse and Mental Health Services Administration (SAMHSA) gave organizations and patients some relief from the stricter privacy rules protecting substance abuse and treatment information. But did SAMHSA really make the rule simpler, or will privacy and security officers find themselves grappling with a fresh set of complicated rules and exceptions?
An authorization generally applies when an organization wishes to use or disclose a patient’s protected health information for a purpose other than treatment, payment, or healthcare operations, or for legally required purposes. In this case, a patient must sign a HIPAA-compliant authorization form that specifically grants permission to the organization.
