HIPAA (Healthcare Insurance Portability and Accountability Act) is not new. First proposed in 1996, the law was created to protect employees’ health insurance coverage between jobs, to combat waste and fraud by health agencies, and to begin the process of computerizing patient records. In 2013, policies and procedures were enacted to enforce the HIPAA, and to outline the costs of a HIPAA breach. These regulations broadly cover three categories:
- Physical: Physical access to data storage
- Technical: Protecting the transmission of PHI
- Administrative: The outline of procedures that entities must follow to comply with HIPAA
The Enforcement Rule passed in 2006, giving HIPAA the power to investigate potential breaches via HIPAA violation reporting and to fine, and even criminally charge, individuals and organizations not complying.
What is Considered a Breach of HIPAA?
There are many things that will lead to HIPAA violations, but here are a few of the more common ones:
- Unauthorized access of PHI
- Failure to conduct risk analysis
- Lack of safeguards to protect confidentiality of PHI
- Failure to have HIPAA-compliant business associate agreements with vendors with access to PHI
- Improper disposal of PHI, including keeping it when it is no longer needed
- Failure to maintain and monitor PHI access logs
- Lack of HIPAA training and cybersecurity awareness training
- Mishandling PHI including texting it and posting it online
- Not allowing patients to access their PHI
- Failure to use encryption or other protective measures when transmitting or storing PHI
- Failure to follow HIPAA violation reporting guidelines, including notifications of a HIPAA breach
- Failure to document HIPAA compliance efforts
Now that telehealth and remote work have become acceptable ways for organizations to continue to see and treat patients, HIPAA compliance has become even more complicated.
How Can My Organization Prevent a HIPAA Breach?
There are common sense ways you can help protect your healthcare organization from a HIPAA breach, including:
1. Data Encryption is Key to Prevent HIPAA Breach
End-to-end data encryption is a key component to protecting PHI, both in storage and at rest. While the Federal rules don’t require encryption, many states do.
2. Rigorous Firewall and Antivirus
A bad actor can’t use information s/he can’t access, and a good way to keep PHI safe is layering a rigorous firewall, antivirus, and email filter. The best choices in cybersecurity tools will be fueled by AI technology.
3. Cybersecurity Awareness Training
Teaching your staff to be your cybersecurity frontline will help them recognize, and avoid, phishing attempts, malware, spoofing, and ransomware (among others). It will also allow you to introduce a HIPAA-specific Acceptable Use Policy, providing guidance for using device, accessing your network, and what sites can be used while on your network or a work-issued device.
4. Dispose of PHI Documents Safely
Make sure you hire a paper-shredding agency, or put your own documents through a shredder to make sure all outdated PHI is permanently destroyed and disposed of in a safe way. A paper-shredding agency will provide receipts as proof that the records were shredded appropriately lower your organization’s liability in the face of a potential HIPAA breach.
5. Business Associate Agreements
In other industries, this would be referred to as third-party vendor management. HIPAA has taken the concept and tightened down requirements to ensure that every business that has access to PHI is also compliant with HIPAA.
6. Keep PHI Private
Your staff must be educated to understand that it is never ok to post PHI on social media, to gossip about patients, or to text identifiable patient information. An identity access and management platform is an important way to ensure that PHI is limited to the staff who needs it to perform their job duties.
7. Device Mismanagement
Now that so much work can be done remotely, employees must be more careful than ever with the devices they use to access your network. Some commonsense device security features would be:
- Automatic timeouts
- Multifactor authentication
- Physical device security
- Not allowing personal devices to access your network
- Reminding employees never to access the network on an unsecure Wi-Fi connection
Integris, a HIPAA Compliant Industry Leader, has you Covered
Integris has the HIPAA seal of compliance and the knowledge our healthcare and dental practices need to stay safe and free from a HIPAA breach. Contact us now for a free, no obligation consultation and learn how Integris can keep your HIPAA compliancy stress free so you can focus on what is most important: your patients.
Want to assess your own HIPAA compliancy? Download this free, no risk, no obligation HIPAA telecommuting policy and make sure your organization is staying HIPAA compliant and protected from a HIPAA breach, even while working remotely.