Mitigating Cybersecurity Risks

Cybersecurity issues and their impact on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act are becoming more of an enforcement focus for a variety of government agencies, including the US Department of Health and Human Services, the Federal Trade Commission, and the Department of Justice. In the case presented in this article, a nurse in a neurology practice opted to speak with a patient about human immunodeficiency virus testing procedures in a manner audible to others in the waiting room. Computer screens with patient information were visible to anyone approaching a desk, the staff had not been trained on cybersecurity issues, and malware infected the computers used in the practice. In light of these circumstances and the launch of Phase 2 of the HIPAA Audit Program by the US Department of Health and Human Services Office for Civil Rights, the neurology practice must consider the following questions. First, could the gaps in the technical, administrative, and physical requirements of HIPAA and the HITECH Act result in an adverse audit and penalties? Second, what course of action does the law mandate in response to a ransomware attack?