HIPAA: What was Reasonable and Appropriate is not Today!
I’m sure HHS and OCR wish the phrase “reasonable and appropriate” wasn’t ever written into the HIPAA CFRs. I can’t think of a vaguer and more meaningless phrase, except possibly “indescribably delicious”. An attempt to instruct providers and business associates to install and maintain security safeguards that protect patient data within your practice’s financial means? Probably. These words, “reasonable and appropriate” de-emphasize, even trivialize the criticality of the true intent – protecting your patients; protecting their savings, credit rating, even their ability to get health insurance or get a job. I think it’s akin to your home being on fire, calling 9-1-1 and saying “have the fire department swing by when they have a chance.”
And what was “reasonable and appropriate” several years ago, is definitely not today! As Bob Dylan said, “The times they are a-changin”. Today hackers are more sophisticated and well-funded. Better tools are readily and cheaply available on the black market to enable novices to quickly join the ranks of the hacker community. It is an underground industry. With the more secure, chip-on-board EMV credit cards coming later this year, cyber criminals will turn elsewhere to make “their” money. Statistics show that 70% of cyber-attacks are targeted on small businesses. The most valued data on the black market is protected health information. Looks like the small healthcare practice has a big bulls-eye painted on it! Stop assuming your MSP has your practice’s data secure. The message is clear, healthcare practices need to be proactive, regularly reevaluate and invest in their cyber security. Otherwise, a court of law will determine what is “reasonable and appropriate” to compensate your former patients due to the theft of their PHI.