I have to reply twice, this is such an absurd statement. I’ve worked in healthcare for years, the penalty for exposing a patients phi could potentially cripple a company because of how strict the safeguards are against it. Cyber liability is in the millions for companies with even small (~100k) sets of lives.
True and false simultaneously. Phi protection absolutely applies outside of providing a medical service. If you’re a company that has medical info on people and you run reporting on it that is your duty to safeguard it. Had nothing to do with providing a service. If you don’t deidentify records before studies are conducted or you’re using live records in dev environments and that info gets exposed you’re screwed.
Reporting doesn’t have to be a direct medical service. It can be used for studies unrelated, used by pharma, used by medical device companies and whether you have phi in the report themselves you house the underlying data in your databases. Exposing that or leaking that is an infraction covered under the protection of hipaa. If you’re in a call center and you expose it, if you’re in IT and you email it unencrypted, if it’s exposed on an open port, it all falls under that protection
I have to reply twice, this is such an absurd statement. I’ve worked in healthcare for years, the penalty for exposing a patients phi could potentially cripple a company because of how strict the safeguards are against it. Cyber liability is in the millions for companies with even small (~100k) sets of lives.
True and false simultaneously. Phi protection absolutely applies outside of providing a medical service. If you’re a company that has medical info on people and you run reporting on it that is your duty to safeguard it. Had nothing to do with providing a service. If you don’t deidentify records before studies are conducted or you’re using live records in dev environments and that info gets exposed you’re screwed.
Reporting doesn’t have to be a direct medical service. It can be used for studies unrelated, used by pharma, used by medical device companies and whether you have phi in the report themselves you house the underlying data in your databases. Exposing that or leaking that is an infraction covered under the protection of hipaa. If you’re in a call center and you expose it, if you’re in IT and you email it unencrypted, if it’s exposed on an open port, it all falls under that protection
I know when the railroad tried to make us tell them our prescription the lawyers shut that shit down hard.