This is a quick reminder that the September 23 deadline for compliance with the new HIPAA regulations is rapidly approaching. Organizations that handle protected health information (PHI) need to be sure they are up to speed on the changes and ready to withstand scrutiny. In general, you will need new NPPs and BAAs (Notices of Privacy Practices and Business Associate Agreements).
We talked about the new HIPAA in an August blog post. and I recorded a webcast on the HIPAA changes that you can watch. Shortly after that HIPAA post went up we got a nasty reminder of how badly things can go wrong when handling PHI. On August 26, Healthcare IT News reported that one of America’s largest healthcare providers, Advocate Health System had begun notifying 4 million people that protected health information and Social Security numbers had been compromised after the theft of four unencrypted company computers. That’s a fairly stunning number of sensitive records, prompting the headline “Behemoth breach”. Clearly Advocate is facing millions of dollars in unexpected costs to remediate this, and you can bet OCR investigators will want to see where the organization documented its decision not to encrypt these records.