The assumed answer is HIPAA. To clarify, HIPAA is an act and not a governing body of any sort. HIPAA’s rules and regulations are enforced by the U.S. Department of Health & Human Services (HHS) and their Office for Civil Rights (OCR). Besides Attorney Generals, other entities cannot enforce HIPAA, it acts as a standard for the healthcare industry and is used as a measuring stick for due diligence.
FTC
The Federal Trade Commission (FTC) is an example of a government organization that has launched cases against companies who demonstrate poor cyber security practices. One such case is FTC v. Wyndham Worldwide Corporation where security failures led to three breaches. Another example is the case the FTC launched against LabMD, Inc. In LABMD, INC v. FTC, the FTC declared that LabMD’s lack of security measures violated their clients’ right to privacy. Although overturned, this case showed the FTC’s willingness to go after businesses with poor practices and in the end, LabMD succumbed to the financial burden of defending themselves.
Attorney General
Another organization enforcing HIPAA violations is the State Attorneys General (SAG). According to the HITECH act from 2009, “[it] gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.” Although I have found no cases of SC AG enforcing HIPAA, other states have been active under the law. New York embraced the power given by HITECH and has issued over $2 million in fines. California, New Jersey, Vermont, and Massachusetts have also flexed their enforcement powers paving the way for other states to do the same.
Patients
While HIPAA cannot be used as a foundation for a civil action (private cause of action), several states allow patients to bring suit against offending companies on the grounds of negligence. Patients must prove substantial harm was caused by the breach; however, this does not guarantee a favorable outcome for the patient. If you are curious about activity in cyber security litigation, see Willis Towers Watson’s great write-up.
Summary
Medical practices that are HIPAA compliant abide by standards that provide great care to their patients while protecting the confidentiality of the sensitive information they encounter daily. Would you talk freely to a doctor knowing that the world will also know? Probably not. This is why Federal organizations and patients are taking cyber security seriously and now have the power to ensure medical practices do the same.
Great Cyber Security requires a wealth of knowledge and a practiced hand, just like patient care. Contact Tandem Cyber Solutions to discuss HIPAA compliance and protecting your patients.
For a HIPAA check list, go [here]. To get in touch with our experts at Tandem Cyber Solutions, call us at 843-309-3058 Check out our HIPAA services [here]
Author
Micheal Small Co-founder + Ethical Hacker
Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates.
Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates.
South Carolina Insurance Data Security Act The South Carolina Insurance Data Security Act (SCIDSA) is a data security/compliance law targeting insurance industry-related businesses operating in South Carolina and those persons licensed to operate by the Read more…
Businesses often mistakenly believe they will not be targeted or that they will know when they are attacked immediately. These are deadly myths that will leave organizations unprepared for the threats out there. This week Read more…
Many times, as an Information Security Professional I forget that somethings aren’t common knowledge to my customers. I live in this cyber security world 24/7 but they just dip their toes in the water Read more…
0 Comments