PHI Breach detection in county government
The Office of Civil Rights (OCR) maintains a list of HIPAA breach investigations which currently lists over 400 open breach investigations.
One interesting breach is Adams County, Wisconsin which was leaking information undetected for over five years from 2013 and it highlights the lack of controls counties have in place for detection of security anomalies.
It’s pretty easy to determine whether or not counties have appropriate controls in place. The first question to ask is do they have a risk assessment? If your local government organization doesn’t conduct ongoing periodic risk assessments, you aren’t compliant with the HIPAA Security Rule. So, if you don’t have a risk assessment, get one so you can identify potential problems.
There are roughly 40 policy requirements for the HIPAA Security Rule and HIPAA sets a low bar in comparison to ISO/IEC 27001 and NIST CSF. If your county security policy doesn’t have these 40 policies in place, with corresponding processes and procedures you aren’t compliant with HIPAA.
We offer a low-cost 90 minute HIPAA workshop to help you assess your level of HIPAA compliance. The worst time to find out that you aren’t compliant is after a breach!
© Copyright Jeffrey Morgan, 2018