In any modern digitized dictionary, if you search for "HIPAA", you will get results. Although HIPAA is an acronym for the Health Information Portability and Accountability Act, it is also ingrained into our daily lives as a word. Whether you are a patient, doctor, support staff, IT specialist, or security specialist, you might know a little or nothing about it. If you are a company thats works with anyone in healthcare, a doctor's office, dentist, or medical supplier, you might think that HIPAA doesn't apply to you or that you shouldn't worry anyone cares what you are doing. The HIPAA rule applies to all entities that have or share electronic personal health information (ePHI).
There are 16+ data points that can be used to identify a patient:
- Any Address information
- Telephone number
- Email Address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account numbers
- Certificate/license number
- Any dates that are related to an individual, date of birth, date of admission or discharge from a hospital/facility, or date of death
- Vehicle identifiers, serial numbers, or license plate numbers
- Electronic Device identifiers or serial numbers
- Full facial photos
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Any other unique identifying numbers, characteristics, or codes
There is a very broad spectrum of information that an attacker can use to identify someone, find their address, or know their vulnerabilities.
You also might be telling yourself:
- I'm too small of an organization to be of any significance.
- I am not in the healthcare industry, just a third-party vendor.
- I'm sure my IT person is handling this, so why worry about it?
The Omnibus rule that was added to HIPAA a long time ago, implicates ALL organizations big or small that share, transmit, or receive any of the data listed above. If you are a third-party vendor you are just as liable for securing your data. Larger organizations are now assessing all of their third-party vendors to make sure they are HIPAA compliant. If you are not compliant, you risk losing your contract with them.
Have you asked your IT manager if you are HIPAA compliant? If they say yes, ask for a report or some kind of proof. You might have them running for cover.
Learn more about becoming HIPAA compliant at: