This is a quick reminder that the September 23 deadline for compliance with the new HIPAA regulations is rapidly approaching. Organizations that handle protected health information (PHI) need to be sure they are up to speed on the changes and ready to withstand scrutiny. In general, you will need new NPPs and BAAs (Notices of Privacy Practices and Business Associate Agreements).

We talked about the new HIPAA in an August blog post. and I recorded a webcast on the HIPAA changes that you can watch. Shortly after that HIPAA post went up we got a nasty reminder of how badly things can go wrong when handling PHI. On August 26, Healthcare IT News reported that one of America's largest healthcare providers, Advocate Health System had begun notifying 4 million people that protected health information and Social Security numbers had been compromised after the theft of four unencrypted company computers. That's a fairly stunning number of sensitive records, prompting the headline "Behemoth breach". Clearly Advocate is facing millions of dollars in unexpected costs to remediate this, and you can bet OCR investigators will want to see where the organization documented its decision not to encrypt these records.

I've mentioned the importance of HIPAA documentation before. If there's one thing that seems to provoke the ire of OCR it is failure to document your reasons for the security posture you have adopted--in other words the one thing worse than a wrong decision is no decision because you didn't even bother to think about it. Now is a good time to make sure your risk assessments and PHI data flows are properly documented and significantly reduce your chances of ending up on the the wall of shame.

If you would like a copy of the slides that I used in the webcast please email stephen [dot] cobb [at] eset [dot] com. Also check out ESET Solutions for Healthcare for more helpful resources.