Page 16 - Layout 1
P. 16

CYBER
         SECURITY

continued from page 14

  Charges for making an authorized disclosure (for example, a pa-         ual, per day that an entity fails to take reasonable action to comply.
tient asking for a copy their records) cannot exceed the “reasonable      It’s a state felony if an individual, without the consent of the patient,
costs of preparing or transmitting the protected health information.”     accesses, reads, scans, stores or transfers PHI via a device or electronic
                                                                          payment card.
  All told, this is where you sit down with your privacy officer
(you have one, right?) and make certain that the practice’s rules           Privacy is “mission critical” to his agency, says newly appointed
on use and disclosure are up to date and effectively translated into      Texas HHS Executive Commissioner Chris Traylor. Considering an
procedures.                                                               era of increasing penalties and public sensitivity to breaches, it’s wise
                                                                          for practices to consider it “mission critical” as well. Privacy Pays, for
  Breach notification rules are also more widely applied under Texas      the provider as well as the patient!
law than under HIPAA, thanks to the combined effect of HB300
and the Texas Identity Theft Enforcement and Protection Act. Breach                          David Schulz, certified information privacy and cer-
notifications are mandatory for any person who conducts business                           tified HIPAA professional, is Executive Director and
in Texas and loses control of sensitive personal information (SPI),                        CEO of Cyber Risk Associates, LLC, compliance special-
not just PHI. Data cleansed of PHI can still be considered sensitive,                      ists for small and boutique healthcare practices and asso-
and a breach notice is required for electronic SPI when system secu-                       ciates in the San Antonio area. Confidential review of
rity has been compromised (with “compromised” being undefined             practice’s needs and areas for improvements freely offered; detailed risk
in the law).                                                              analysis, remediation and training offered on one-time or continual basis:
                                                                          210-281-8151.
  HB 300 increases the penalties for failing to make breach notifi-
cations. In addition to the penalties available to the state attorney
general, it provides for additional civil penalties of $100 per individ-

16 San Antonio Medicine • February 2016
   11   12   13   14   15   16   17   18   19   20   21