Healthcare provider pays hefty $650,000 HIPAA fine.
This settlement should put business associates on notice of the potential for significant liability for failure to implement required HIPAA policies and procedures. In addition, business associates should take steps to ensure that all PHI on laptops and mobile devices is encrypted.
Covered entities and business associates must learn from the security mishaps of their peers, says Lysa Myers, a researcher at security services firm ESET.
“You’re only as safe as your partner,” she says. “Everyone involved with vendor management should develop a common, collaborative security strategy that includes layering new protections onto processes and policies to defend against information risk in the supply chain.
For instance, because so many data breaches involve unencrypted data, Myers says it’s critical for covered entities to ask how vendors are protecting sensitive data.
Lack of Policies Cited
In a statement, OCR notes that during its investigation, it found that at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. OCR also concluded that CHCS had no risk analysis or risk management plan.
Read Full Story: www.healthcareinfosecurity.com
Sourced through Scoop.it