It might be impossible to calculate the actual, aggregate cost of HIPAA non-compliance for health care services and financial firms, but we do know that millions of dollars in fines have been handed out by the Department of Health and Human Services just in the last year alone to offending hospitals, Universities, and other organizations who store patient medical data. Organizations who fail to provide adequate data network security for their IT infrastructures risk exposing their patient medical information (HIPAA) or client financial information (PCI), and garnering huge fines as a result. It’s not just the fines that get you, though. It’s the concomitant downgrade in security-rating status until completely fixed (and which is the equivalent of a 100 point or so drop in your credit score) that should also have organizations worried. It’s simply not worth the disaster that can befall your company or organization due to security violations, and not getting into compliance ASAP.
Weighing the Cost
So, when asking the question, “What is the cost of non-compliance?” one should also immediately ask, “What small price for compliance do I need to pay?” Because, quite simply, the cost of being in compliance is far exceeded by that of being out of compliance and consequently being on the hook for a HIPAA or PCI non-compliance violation. The fact is that data breaches can happen anytime and on any day to major financial institutions such as banks and credit card or third-party transaction companies. And for a huge corporation like VISA or Chase Bank, it simply makes good sense to spend the relatively meager sum and be compliant with PCI standards. Moving quickly into the world of cloud PCI compliance, the checklist is long, but worth going over carefully and following to the letter – as is the HIPAA compliance checklist.
Data Governance and Accountability
Tech Target talks about this subject in edifying detail, speaking of well-meaning companies who have to wrangle with well-thought-through IT governance to the point of minutiae that could drive normal department heads mad. This is where a formidable IT team becomes your best friend. In Tech Target’s own words: “Many companies do not establish clear organizational responsibility for ensuring the security of the protected health information. According to requirements, there must be an individual assigned the responsibility for HIPAA compliance.” That individual should be a seasoned CIO, CISO, or vCIO, the latter of which is generally an outsourced IT expert who augments your own business starting lineup as the Barry Bonds who can hit IT security and compliance out of the park.
Transparency, Identity Management, and Access Control
You will want to be as transparent as possible in applying HIPAA regulations to your IT network. Treat your client/patient Electronic Protected Health Information (EPHI) like auditable monetary accounts – the more access regulators have to see your user access restrictions are on the up and up, the more they will give you high marks. Likewise, when they see that you are painstakingly guarding and monitoring identity management and access permissions, your god standing will continue. System and environment controls such as secure configuration goes steps beyond merely monitoring and into the realm of strict control.
Managed IT Services for Compliance Measures
It can sound like a “fix-all” or turnkey solution, but that is what a managed IT services firm and vCIO can do for you in the area of compliance. Outsource My IT is the leader in providing managed IT services in New Jersey. Contact our expert IT staff at (973) 638-2722 or send us an email at firstname.lastname@example.org, and we will be happy to answer your questions.