Anyone who touches PHI must protect it.

Brand Barney, SecurityMetrics
By: Brand Barney
Is it your responsibility to ensure that your clinic is HIPAA compliant? Is it the doctor’s responsibility? What if you’re the IT guy? Is HIPAA your duty? What if you are just a janitor at a healthcare organization?

The answer to all those questions is: every single person who interacts with patient health information in any way must protect it. That means if you…

  • Talk to patients directly
  • Give out prescriptions
  • Take blood pressure
  • Manage the firewall for a healthcare environment
  • Manage a database that holds patient data
  • Encrypt patient data on behalf a provider
…you are responsible for HIPAA and HIPAA violations! Employees may individually face charges if patient data is compromised, but that doesn’t mean providers are exempt from making sure the organization is HIPAA compliant. It’s okay to be honest that you may not know HIPAA has two a’s and not two p’s . . . shocks people all the time.

Healthcare provider HIPAA responsibility

If Protected Health Information (PHI) is compromised at a healthcare practice, the practice is always considered at fault. However, based on the violation, an employee (especially an executive level employee) may also be considered at fault and face serious consequences. If an employee was involved, healthcare employers hold some blame for not training employees properly.

SEE ALSO: How Healthcare Security Complacency is Killing Your Organization

According to the HHS, “Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.”

Employer or employee ignorance is not accepted as a legitimate excuse in the HHS’ eyes. That’s one reason why workforce member training is so crucial to preventing compromise and HIPAA violations.

subscribe to blog.securitymetrics for more healthcare security articles

Employee HIPAA responsibility

Employees are a crucial link in the healthcare compliance chain. If employees are weak (not adequately trained on security) they become a weak link that can easily be broken. Lazy and even, untrained healthcare employees are at the center of most HIPAA violations.

If they interact with Patient Health Information in any way, healthcare workforce members are legally bound to comply with HIPAA regulations concerning the security of Patient Health Information. If workforce members are directly responsible or even indirectly responsible for HIPAA violations, they can be penalized civilly.
Employees have a serious moral responsibility to both their employer and to their patients to keep patient health data secure.

Business associate HIPAA responsibility

When it comes to responsibility, third parties sometimes think they are exempt. Especially those who don’t classify themselves as “healthcare covered entities.” The problem is, the HHS does consider them legally bound to protect PHI. That’s why the HHS requires business associate agreements.

According to the HHS, “In addition to [business associate agreements], business associates are directly liable for compliance with certain provisions of the HIPAA Rules.”

But just because a business associate has signed a business associate agreement doesn’t mean they are exempt from anything that goes wrong with patient security. If data in the business associate’s possession is breached, they share equal responsibility with the healthcare provider.

See also: You Can’t Hide Behind a Business Associate Agreement.

Read about business associates and HIPAA for more information on business associate responsibility.

Patient data is your stewardship!

At the end of the day, the only thing standing between your patient’s sensitive (and valuable) data, and attackers wishing to profit from this data, is you. Don’t let your patients down, don’t let attackers walk out the door with all of your data, and don’t let compromise or HIPAA violations leave you in a tailspin of negative press.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA learning center, SecurityMetrics