According to the Privacy Rights Clearinghouse, the healthcare industry has seen a considerable jump in data privacy breaches in 2010 and 2011. Since 2009, reporting data breaches is now compulsory as a result of HIPAA which may explain why we are seeing such a significant rise in reported breach violations.
According to the Privacy Rights Clearinghouse, the healthcare industry has seen a considerable jump in data privacy breaches in 2010 and 2011. This drastic spike in privacy breaches has become much more transparent since 2009 when Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This U.S. legislation added a technology component to the original 1996 HIPAA privacy mandates providing more explicit guidelines around technology aspects for protecting a patient's healthcare records. Since 2009, reporting data breaches is now compulsory which may explain why we are seeing such a significant rise in reported breach violations.
In addition to ensuring the privacy of patient health records, HIPAA also enables a patient to request an accounting or report of who has accessed their records. Patients can request this accounting six years prior to the date of their request. As a result, healthcare organizations must prove that this patient's data wasn't breached for up to six years. To be safe, your organization should keep six years of log data on hand in order to comply with the forensics investigations associated with such a request.
If this log data becomes evidence that is used in court, the organization will have to show proper chain of custody of log data and prove that the log integrity has not been compromised over that 6 year period. Keeping multiple years of your log files in their original file format is a must for forensics investigation or prosecution to show an accurate representation of what happened in the past. In addition, this data must be encrypted leveraging cryptographic hashing to assure data integrity and prove in a court of law that the data has not been tampered with.
We have put together a few tips and tricks to help healthcare organizations collect and archive this crucial log data to comply with the HIPAA and HITECH requirements for operational troubleshooting as well as forensic needs. To learn more about these best practices, please listen to our latest webcast that addresses these topics or download our best-practice white paper.