866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

5 Things CISOs Should Know About HIPAA Blog Feature
VISH DAVÉ

By: VISH DAVÉ

Print/Save as PDF

5 Things CISOs Should Know About HIPAA

Education | Healthcare Assessments

The more advanced technology gets, the more chief information security officers have to worry about. And with hackers waging significant wars on major organizations like JPMorgan Chase and Anthem, their job has become more important than ever.

CISOs especially don’t want to get lax with HIPAA compliance. The penalty for non-compliance can reach hundreds of thousands of dollars. In fact, the largest HIPAA settlement to date occurred in 2014, when two healthcare organizations (NewYork-Presbyterian Hospital and Columbia University) were blamed for lapses in HIPAA compliance that jeopardized 6,800 patients’ electronic records. They reached a settlement, but the cost was astronomical — $4.8 million. If that kind of bill doesn’t get a CISO’s attention, perhaps jail time will? A CISO could face up to 10 years in prison for failure to comply with HIPAA regulations.

Here are five things CISOs should know about HIPAA Compliance:

1. HIPAA Isn’t Voluntary

The moment an organization comes into contact with protected healthcare information (PHI), it must spring into action with full HIPAA compliancy — or else. That means developing, implementing and thoroughly documenting every measure taken to protect PHI in four key areas of CFR 45 Subtitle A Subchapter C Part 164:

(1) Organizational Requirements

(2) Security Standards

(3) Breach Notification

(4) Privacy

2. HIPAA Requires Periodic Auditing

That’s right. Putting safeguards into place isn’t enough. HIPAA guidelines also mandate that the covered entity or business associate conduct evaluations every so often to ensure all necessary safeguards are in place and able to demonstrate their working order. These audits should be performed according to any changes that have taken place in the security environment (for example, new equipment introduced into the network) and should thoroughly scan for weak points that could put private data at risk.

3. HIPAA Mandates a Procedure for Reviewing Records

CISOs should be regularly investigating information system activity, such as audit logs, access reports and security incident tracking reports, which also means these components must be in place. If a security incident is detected, organizations are required by law (to the best of their ability) to respond, mitigate any ill effects, and document the outcome.

4. It is the Responsibility of the Covered Entity to Ensure Business Associates Comply

Via the Final Omnibus Rule of 2013, covered entities can extend coverage to business associates (or other third-party providers) who need to create, receive, maintain or transmit electronically protected healthcare information on behalf of the covered entity. However, it is the responsibility of the covered entity to ensure said business associate (or third party) is properly safeguarded. Assurances must be documented via some form of contract or agreement.

Also included in this rule are new procedures for notifying the Office for Civil Rights of a breach of PHI. Failure to report could result in federal investigation, civil action and (you guessed it) more fines.

5. Fines Are Outrageously High

The introductory scenario is a bit extreme, but that doesn’t exclude a covered entity or business associate from paying some serious fines if any discrepancies are found in compliance. As of 2013, a single HIPAA violation costs $50,000 per compromised patient record. Do the math — the NewYork-Presbyterian Hospital and Columbia University got off the hook easy with their $4.8 million settlement.

If you need help understanding what your privacy and security obligations are, consider working with a compliance services provider. They can help you design and implement procedures to ensure HIPAA compliancy, as well as test securities to confirm all safeguards are properly working to protect private information.

About VISH DAVÉ

Vishal Dave is a Manager with Schellman based in Orlando, FL. Dave worked as a Senior HIPAA Security Analyst at JDL HealthTech, specializing in HIPAA compliance, compliance monitoring, audits, security risk assessments, training, and IT advisory based on analysis and results.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.