For health care providers, arguably your most valuable asset is your patient information. Patients assume you will protect their private information. Unfortunately, many practices are not implementing even the basic safeguards required under the Health Insurance Portability and Accountability Act (HIPAA).
In fact, Consumer Reports recently warned their subscribers (your patients) they need to protect themselves from improper handling of protected health information (PHI) by hospitals, doctors and insurance companies. HIPAA Compliance should not be a one-time, “set-it-and-forget-it” process. Instead, protecting the privacy and security of patient information should be a culture lived and implemented by the organizational leaders and followed by their employees. Risks are no longer insignificant. Fines range from $10,000 per incident up to $1.5 million per year. The reputation of the practice can be crippled if a data breach occurs and proper protocols aren’t followed.
10 Common HIPAA Violations, and How to Avoid Them
- No Updated Policies and Procedures: HIPAA requires documentation to show you understand what is required by law and your practice has the policies and procedures in place. It’s a best practice to purchase a set of policies and review them with your team annually. You can also subscribe to a service like OfficeSafe where policies are online, employees can log in anytime, and updates are automatic.
- No Risk Assessment on File: You must perform an adequate risk assessment to determine your vulnerabilities. HIPAA does not define “how” an assessment needs to be performed, it only states you need to document your risk level, key vulnerabilities and plans to fix them. Having a risk assessment on file and showing you are making progress implementing key safeguards required under HIPAA will materially mitigate your risks.
- Lack of Employee Training Documentation: Employees are the first line of defense for your practice. Employees also make human errors. Making training a priority is key to creating a culture of compliance for your practice. Employees can also watch for phishing scams, other employee behaviors, help identify privacy issues and more.
- Loss of a Device: Losing a laptop or mobile device that stores PHI is a HIPAA violation unless you can prove the data stored was encrypted and/or the device was secure. To mitigate risks, don’t store PHI on these devices and setup controls to wipe data from mobile phones if they are used inside your practice.
- No Emergency or Incident Response Planning: HIPAA law now requires that every practice document an Emergency and Incident Response Plan. Also, with all of the hurricane’s, fires, ransomware attacks, and other incidents, it makes sense to document your plans in case an emergency does occur. HIPAA requires: 1) a Data Backup Plan, 2) a Data Restoration Plan and 3) an Emergency Mode Operations Plan.
- A Ransomware Attack: Your patient information is valuable to a hacker. If obtained, they sell it on the Dark Web. Phishing scams lead to ransomware attacks and not only can this harm your practice, but a ransomware attack is also considered a data breach under HIPAA. Your patients may have to be informed unless a forensic investigation can prove data was not accessed. For more information on ways to prevent a ransomware attack, you can learn more at Top 10 Ways to Fight Ransomware
- A Credit Card Data Breach: Every practice handles patient credit card information. A Payment Card Industry (PCI) violation can also end up being a reportable breach under HIPAA. Securing and properly handling credit card data is imperative. Don’t store any credit card information in QuickBooks, Excel or any other software. Also, make sure you are PCI certified and using EMV devices to limit chargeback liabilities.
- Violations Under the HIPAA Privacy Rule: Too many health care professionals do not have a clear understanding of The HIPAA Privacy Rule. Not only does PHI need to be secure, but it also needs to be kept private. Practices need to have an updated Notice of Privacy Practices shared with patients and posted in the practice. Also, employees need to understand under what circumstances PHI can and cannot be shared. It’s important (and the law) to designate a HIPAA Privacy and Security Officer for the practice. They can learn the basics and quickly mitigate behaviors that may be leading to unnecessary risks.
- No Encryption Safeguards: HIPAA does not state you have to use encrypted solutions, but it’s a good idea. Your PHI should be backed up using an encrypted solution. It also should be backed up in the cloud with multiple days of backup sets. Also, when e-mailing PHI, you should be using an e-mail encryption service. Encryption mitigates human e-mail error and also protects the unauthorized access of data.
- Lack of Compliance Documentation and Execution of Business Associate Agreements: We often see practices struggling to execute their Business Associate Agreements, Employee and Patient Acknowledgments, Authorizations, and overall HIPAA compliance. Compliance isn’t a he-said, she-said proof exercise. You must have updated policies, procedures, and proof you are implementing the proper HIPAA safeguards.
OfficeSafe was designed to ease the administrative burdens and uncertainties associated with HIPAA compliance and financially protect you in case of a ransomware attack, HIPAA audit, or patient data breach.