My question involves public health law in the State of: South Dakota
I'm an IT guy, so I apologize if my lingo is a little foreign to anyone. I'll try to keep things as plain-English as possible, but please do ask for clarification if this isn't making sense.
I work as an Information Technology admin for a healthcare clinic. Without providing too many details, when I was hired, there were several issues with the infrastructure including weak passwords, lack of thorough data backups and security issues. All of these were in violation of 45 CFR §164.306-308 (HIPAA), which lays out the guidelines for Administrative Safeguards.
During my time of employment, I have unofficially (e.g., verbal communication) recommended that I be given the resources to improve our backup infrastructure, make changes to company policy to ensure patients' privacy and upgrade hardware. Of course, the further I dug in to these internal HIPAA audit self-checklists, the more daunting the task had become. I was making progress, and thought "hey, the company is better today than it was a year ago, so I have nothing to worry about as long as I keep working on it."
Out of nowhere, a hard drive failed that was inside of a network-attached storage. This device was used to do two things: a) house daily backups from the server and b) store private company data that was to be kept off of the server for extra security. This device was kept in office in a separate room from the server.
Now, say we had a better backup infrastructure, this could have been prevented. Sure, the hard drive might have still failed, but the recovery process would have been plain and simple. Now we have to go through a data recovery lab which I am sure will charge us $$$$!
With all of this being said, is it my responsibility as an IT admin to ensure that we (as a clinic) are HIPAA complaint? Remember, HIPAA is not only the privacy of protected health information, but the integrity and availability of that data, too. Therefore, there is NO question about it that this sort of data loss is an OBVIOUS VIOLATION of HIPAA regulations.
But the question is, who is legally responsible for this sort of happening?
Just doing some research on this, I'm becoming a bit paranoid now. There was a case a few years ago in California where a guy got jail time for a HIPAA violation. I don't want to be that guy! Of course, I did not willingly or purposefully cause this violation, but I still have that job title next to my name.
Thanks ahead of time!
I'm an IT guy, so I apologize if my lingo is a little foreign to anyone. I'll try to keep things as plain-English as possible, but please do ask for clarification if this isn't making sense.
I work as an Information Technology admin for a healthcare clinic. Without providing too many details, when I was hired, there were several issues with the infrastructure including weak passwords, lack of thorough data backups and security issues. All of these were in violation of 45 CFR §164.306-308 (HIPAA), which lays out the guidelines for Administrative Safeguards.
During my time of employment, I have unofficially (e.g., verbal communication) recommended that I be given the resources to improve our backup infrastructure, make changes to company policy to ensure patients' privacy and upgrade hardware. Of course, the further I dug in to these internal HIPAA audit self-checklists, the more daunting the task had become. I was making progress, and thought "hey, the company is better today than it was a year ago, so I have nothing to worry about as long as I keep working on it."
Out of nowhere, a hard drive failed that was inside of a network-attached storage. This device was used to do two things: a) house daily backups from the server and b) store private company data that was to be kept off of the server for extra security. This device was kept in office in a separate room from the server.
Now, say we had a better backup infrastructure, this could have been prevented. Sure, the hard drive might have still failed, but the recovery process would have been plain and simple. Now we have to go through a data recovery lab which I am sure will charge us $$$$!
With all of this being said, is it my responsibility as an IT admin to ensure that we (as a clinic) are HIPAA complaint? Remember, HIPAA is not only the privacy of protected health information, but the integrity and availability of that data, too. Therefore, there is NO question about it that this sort of data loss is an OBVIOUS VIOLATION of HIPAA regulations.
But the question is, who is legally responsible for this sort of happening?
Just doing some research on this, I'm becoming a bit paranoid now. There was a case a few years ago in California where a guy got jail time for a HIPAA violation. I don't want to be that guy! Of course, I did not willingly or purposefully cause this violation, but I still have that job title next to my name.
Thanks ahead of time!