How to Ensure HIPAA Compliance Efforts Focus on Data Security
There is little that is more disruptive and detrimental to a healthcare organization than a HIPAA violation. First, consider the penalties. The HHS Office for Civil Rights (OCR) issues fines of $50,000 per violation up to a $1.5 million maximum, and criminal penalties can be up to ten years imprisonment and $250,000 in fines. Second, especially if an information breach is behind the violation, you are not just facing fines but much broader costs that include aspects such as legal fees, data forensics, hits to your brand, and the immediate recovery steps to correct the issue.
While the goal is across-the-board compliance, everyone wants to pay special attention to the areas that most often result in HIPAA violations – which signal likely points of focus for investigations by the Department of Health and Human Services. They also underscore the importance of better integrating compliance into our organizations.
Top HIPAA Violations
These are a few of the HIPAA violations that occur most frequently (in no particular order):
- Unauthorized disclosure of health data by staff – Healthcare personnel can be the source of major fines and other costs if they talk to their colleagues or loved ones about patients. Anyone who works for you should not share anyone’s health data with anyone who has not been cleared with written authorization, and they should know to only speak with patients in private areas. Social engineering is one key hacker tactic. Through this method, the attackers attempt to get access to ePHI or ePHI-containing systems by hoodwinking someone on your staff.
- Device theft or misplacement – You may end up with a violation because an unencrypted laptop, smartphone, or other device gets stolen or lost. It is likelier that you see mobile devices stolen than desktops because they are designed for portability and are often in-transit; since that’s the case, it is especially important to use data encryption, password protection, and multi-factor authentication on these devices.
- Improper disposal – When you get rid of protected health information (whether physical or digital), you must use appropriate methods – but always dispose of rather than leaving documents exposed. An unauthorized person may see health information that they should not when a staff member puts a patient record on their desktop or leaves a file on a table. Shred or delete records that are no longer being used, or store them in a secure place.
- Access from unsecured sites – Many people who work in healthcare use their personal devices to access health data and work late at night. This reality can lead to terrible results. For example, a family member might see health information when it is left open on their computer. A family member could also accidentally install malware, allowing cybercriminals access to locate and take the information.
- Lack of a signed business associate agreement – Another HIPAA violation that occurs frequently is that an organization handling health data does not sign a business associate agreement with one of the providers handling information on its behalf. Furthermore, the mere existence of a BAA is not enough because many are non-compliant – particularly when they have not been updated to reflect the Final Omnibus Rule (technically reflecting a HITECH violation).
- Going beyond the breach notification time limit – It is necessary for healthcare providers, plans, and data clearinghouses to notify affected patients, sometimes the HHS, and sometimes the media within 60 days after a breach is discovered. HIPAA violations often occur when this two-month window is not met.
Tips to prevent HIPAA violations
HIPAA compliance is complex. However, there are some basic key things you can do to avoid violations. One is simply making security and privacy a greater point of focus for your organization. You want to have strong training in place so that everyone you employ knows how to interact appropriately with healthcare records – critical given the severity of the insider threat. You also need to make sure that all your policies, procedures, and other documentation are updated to align with today’s HIPAA stipulations. Continuing education should be available to everyone on your staff. Knowledge must be current – on paper, in practice, and in the minds of your personnel.
It is also critical to know that you are partnered with business associates who are experienced working with ePHI systems and meeting the challenges of protecting them. One way to see that an organization is focused on healthcare compliance and cybersecurity is to look for third-party HIPAA and HITECH compliance certification, as well as compliance with the American Institute of CPAs’ SSAE 18 (formerly SSAE 16).
Plus, be aware that routine risk assessments are mandatory under HIPAA because they will reveal the technical, administrative, and physical safeguards that will help you meet the Security Rule. “The risk analysis process should be ongoing,” notes the HHS’s “Guidance on Risk Analysis.” “Some covered entities may perform these processes annually or as needed (e.g. bi-annual or every 3 years).” By performing these assessments thoroughly, you can uncover aspects of your systems that need additional attention and support.
Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.