Under the new guidelines, the HIPAA requirements for multifactor authentication are now being extended to "business associates".
Phoenix, Arizona (PRWEB) March 26, 2013
On March 26, new U.S. Department of Health and Human Services (HHS) rules go into effect for the United States, extending HIPAA security and privacy requirements to "business associates". Business associates include contractors, vendors, and service providers, such as billing companies, that perform services on behalf of a health care provider or who provide solutions that integrate with medical or patient data.
The amended Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules formalize many of the statutory changes made in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). The new rules also increase penalties for non-compliance to $1.5 million per violation and clarify the circumstances under which data breaches must be reported to HHS. The new rules take affect March 26. Business associates have until Sept. 23 to comply.
The HIPAA security rule is widely understood within the healthcare industry to mean the use of “multifactor authentication” (MFA) to protect access to medical and patient data. Under the new guidelines, the HIPAA requirements for multifactor authentication are now being extended to "business associates". According to HHS, business associates are responsible for the majority of the nation's health care data-loss incidents. HHS Office Civil Rights Director Leon Rodriguez said in a news release:
"These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."
Finding a compliant, user-friendly multifactor authentication solution has proved a difficult challenge for other industries affected by similar guidelines. In the wake of similar FFIEC guidelines to the financial industry, many banks opted for “challenge question” solutions that were later ridiculed by security experts and repudiated by the FFIEC as not “true multifactor authentication”. Other financial institutions purchased millions of dollars in hardware tokens only to find the expensive devices overwhelmingly rejected by consumers. Some institutions deployed “risk-profiling” or similar scoring systems, but found their support costs skyrocketing and their help desks inundated with user complaints.
There are several affordable, user-friendly MFA solutions currently available to the HIPAA-regulated industry. One solution is Virtual Token® Multifactor Authentication from Sestus, LLC. Virtual Token® MFA is used by government healthcare agencies, healthcare organizations, service providers (business associates), and private care facilities.
Virtual Token® MFA is a “true multifactor authentication” solution as defined by federal regulators. Organizations that have deployed Virtual Token® MFA have experienced a significant reduction in online fraud and identity theft without the increase in support costs typically associated with MFA. Users never install any software or disclose any personal information to use Virtual Token® MFA, making it both user-friendly and superior in terms of protecting user privacy.
For more information on Virtual Token® Multifactor Authentication, visit http://www.sestus.com.