Government regulations put information
on a need-to-know basis

• The HITECH Act of 2009 significantly increases penalties for disclosing protected health information.
• The most common violations? *Information management and lack of proper access control*

HITECH enhanced HIPAA penalties

A person who knowingly discloses individually identifiable health information to another person commits a crime punishable by fines up to $50,000 and imprisonment up to one year, or both. The criminal penalties jump to fines up to $250,000 and imprisonment up to 10 years, or both, if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

To view the U.S. Department of Health & Human Services HITECH Act in its entirety, click here

Smaller healthcare organizations are at risk

A former employee of a home healthcare agency in Raeford, NC waltzed into the office after hours.
• She stole the files of 23 clients.
• She also stole her own personnel file, a policies and procedures manual, as well as two sets of keys and a digital camera.
• There were no signs of forced entry.
• The firm was responsible for misuse of information.

Any organization could be a target

At University Health Care in Utah, someone stole a laptop from a locked office. It contained patient names, their Social Security numbers, insurance data, prescription drug information and more.
The company had to warn 4,800 patients about potential identity theft. To mitigate the damage, they paid for a year of credit monitoring for each patient.