IT | Security

HIPAA Privacy is About More Than Just Compliance

By: Josh Mayfield | 9/24/2018

Nearly every healthcare IT professional I’ve spoken to is seriously overburdened when it comes to protecting patient privacy. From annual security assessments to following breach protocols and everything in between, maintaining HIPAA compliance requires more than most IT departments are resourced to handle. Top of mind for most healthcare administrators however is the reality of non-compliance.

HIPAA violations vary widely in both cost and root cause. In 2017 for example, St. Luke’s Roosevelt Hospital Center in New York paid a $387,000 fine for faxing patient health information (PHI) to the individual’s employer. This month, three Boston hospitals were ordered to pay more than $1 million collectively for compromising patients’ PHI when they invited film crews on site without first obtaining patient permission. In June, a judge ordered MD Anderson to pay $4.3 million in penalties for failing to encrypt devices that handled and held PHI after a laptop was stolen and two thumb drives were lost.

While compliance is certainly everyone’s goal, let’s not forget the primary HIPAA Privacy mandate: data protection as a civil right. The HIPAA Privacy Rule gives individuals’ rights over their own healthcare information. When those rights are violated, fines are high and breach recovery expenses are costly at an average of $408 per record in 2018, the highest compared to any industry according to the IBM Cost of a Data Breach study.

Perhaps even more important though is patients lose trust in their healthcare provider(s) when their rights are violated. According to one study, 54% of patients say they would be ‘very’ likely or ‘moderately likely’ to change providers after a breach of their PHI. This loss of trust has direct impact on a healthcare organization’s bottom line over the long term.

No matter if you are new to the HIPAA Privacy Rule or acutely familiar with complying with it, it pays to go back to the basics for a fresh look. Watch the quick primer video below and while you’re there, be sure and subscribe to our YouTube channel for future primer videos. You can also learn more about how one healthcare organization achieved HIPAA compliance with improved visibility and control over their sensitive data with Absolute.

Video transcript:

#1 - HIPAA Privacy Rule

Hey, Josh here from Absolute. This week’s episode is focused on the HIPAA Privacy Rule. We’ll look inside this massively influential law, and talk about how to safeguard your protected health information.


To start, HIPAA stands for Health Insurance Portability and Accountability Act. And, the HIPAA Privacy Rule is ultimately atopic civil rights.

It mandates data protection across all “individually identifiable health information”.

The HIPAA Privacy Rule affirms the rights of an individual’s health information.

When suspected violations happen, it is the Office for Civil Rights — or OCR — who does the investigating. Since 2010, the OCR has successfully settled over 150,000 cases.

But a lot of that data now sits on endpoints spread around the globe.

Protected health information, commonly known as “PHI”, is individually

PHI has become unbounded. It resides in local drives, cloud storage apps — like Dropbox and Google Drive; and the biggest loose cannon of all, personal USB keys!

To protect data in this mutating attack surface, healthcare IT and security teams are turn to the fundamentals to answer 5 Questions:

One. What could happen? This is your security posture.

Two. What should happen? Think, in relation to your security policy.

The third question, “what would happen?”, directs us to security modeling to prepare for different circumstances.

Four. What is happening? Imagine hovering over the entire endpoint population.

And, the final question: What did happen? Here, we get into digital forensics and investigate past incidents.

It starts with “visibility”.

If you don’t know what devices you have, you’d be relying on luck to protect them.

By mitigating risks with asset intelligence IE visibility, and persisting endpoint hygiene, IT teams are able to protect data without leaving their seats.

Will we rise to the challenge or will we sit back as disaster unfolds? For what it’s worth, I think we’ll rise to the challenge.


All right, that’s it! Please make sure to subscribe and stick to this channel, as we’ll be looking at the HIPAA security rule in the next episode.