Horror Stories from Million-Dollar Noncompliance Security Mistakes

Chicago partner Ken Dort and associate Sumaya Noush co-authored an article titled “Horror Stories from Million-Dollar Noncompliance Security Mistakes” for Chiropractic Economics.

In their article, Ken and Sumaya point out that when a HIPAA covered entity is deciding which security measures to use, the HIPAA Security Rule does not dictate those measures but rather requires the covered entity to consider a number of factors, including the likelihood and possible impact of potential risks to electronically stored personal health information. Notably, in the event of a breach absent the use of encryption, the provider would have to justify to HHS why encryption’s absence was “reasonable and appropriate” for its situation. The reality is that underlying software and system hardware have been advancing to make encryption more viable — particularly in the face of the ever-growing threat of data breach in the health care field — leaving those providers opting against encryption with little room for acceptable explanations.