OnPage News: HIPAA Violation Concerns

OnPage Corporation is the Secure Messaging/Critical Alerts Leader: Learn More…CLICK HERE & Talk to Sales

Understanding HIPAA Compliance, & HIPAA Violation Concerns

Health IT Security - HIPAA Violation Concerns

Article Courtesy of:  HealthIT Security

Covered entities should regularly review the requirements for HIPAA compliance to avoid potential violations.

Regardless of a healthcare organization’s size, HIPAA compliance must remain a top priority. This is especially critical as technology continues to evolve and more covered entities continue to implement innovative tools such as mobile devices and HIEs.

HIPAA compliance should be regularly reviewed.

However, having a thorough understanding of the federal requirements for HIPAA compliance also means that healthcare organizations must understand the potential consequences of HIPAA violations. Consistent and comprehensive employee training should be paired with regular policy reviews and updates. HIPAA violations could lead to heavy regulatory fines and expose patients’ sensitive information.

By regularly reviewing the basics of HIPAA compliance, covered entities and their business associates will gather a better understanding of what measures they must take to keep patient data – as well as employee data – secure. Concerns over possible HIPAA violations are extremely valid, but do not need to be a detriment.

HealthITSecurity.com will outline the basics of HIPAA compliance, and touch on potential consequences should those requirements be violated. We will also discuss top concerns that healthcare organizations may have, and how those concerns can be overcome.

The 3 safeguards in HIPAA compliance.

Administrative safeguards, physical safeguards, and technical safeguards are three key aspects to overall HIPAA compliance. Healthcare organizations need to understand that there is not necessarily specific requirements under each of these areas. Rather, covered entities and their business associates must find ways to meet these requirements that are applicable to their daily operations and needs.

Administrative safeguards are “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information,” according to the Department of Health and Human Services (HHS).

Each covered entity will also need to evaluate its security controls and ensure that “an accurate and thorough risk analysis” is performed.

HIPAA administrative safeguards are broken down into several main aspects:

  • Security management process
  • Assigned security responsibility
  • Workforce security
  • Information access management
  • Security awareness and training
  • Security incident procedures
  • Contingency plan
  • Evaluation
  • Business associate contracts and other arrangements

Covered entities must also understand physical safeguards when it comes to creating a comprehensive data security plan.

According to HHS, physical safeguards are the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

For example, ensuring that laptops and other mobile devices are always kept behind a locked door when not in use would be a physical safeguard. Additionally, having security cameras at a facility would also be considered a physical safeguard.

Facility access and control, as well as workstation use and device security are the main aspects to this part of HIPAA compliance. Essentially, the physical access to facilities must be limited, while still ensuring that authorized accessed is allowed. Moreover, necessary policies and procedures that “specify proper use of and access to workstations and electronic media” are also required.

To learn more about common types of physical safeguards, click here.

Having strong technical safeguards is also important for covered entities. These safeguards refer to “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it,” according to HHS.

Technical safeguards could include two-factor authentication on devices, or ensuring that updated firewalls are on all desktop computers. Data encryption is becoming a more popular option as well, but is not necessarily a requirement for all healthcare organizations.

However, technical safeguards need to include the following considerations:

  • Access control
  • Audit control
  • Integrity control
  • Transmission security

As previously mentioned, there are no specific requirements for the type of technology to be implemented at covered entities. This is especially true when it comes to technical safeguards. However, healthcare organizations “must use any security measures that allows it reasonably and appropriately to implement the standards and implementation specifications.”

To learn more about common types of technical safeguards, click here.

What are potential consequences of HIPAA violations?

HIPAA Compliant Secure Messaging HIPAA Violation

One of the major consequences that could happen should a covered entity not have the necessary protections in place is a healthcare data breach. While this can still happen even if an organization is HIPAA compliant, data breaches often take place due to a lack of one of the previously mentioned safeguards.

However, as the top healthcare data breaches of 2015 prove, the reaction to a data security incident is just as critical. Last year, the top 10 healthcare data breaches were all classified as a “hacking/IT incident.” Covered entities and their business associates may not always be able to prevent a cybersecurity attack, but this is why detection is critical. That way, an organization can hopefully put a stop to the intrusion before too much damage is done.

HIPAA violations will also likely lead to an organization facing financial fines from the Office for Civil Rights (OCR). The OCR HIPAA settlements from 2015 were all prime examples of how one small oversight could potentially have larger consequences.

For example, OCR reached a settlement agreement with Cornell Prescription Pharmacy (Cornell) in Denver, Colorado in April 2015. While Cornell is a small, single-location pharmacy that provides in-store and prescription services to patients in the area, OCR maintained that the organization needed to maintain HIPAA compliance.

Cornell was accused of improperly disposing of documents containing patient PHI. Approximately 1,600 patients’ information was found in an unlocked, open container on Cornell’s premises.

“Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper,” explained OCR Director Jocelyn Samuels, adding that PHI security is essential for entities of all sizes.

A lack of a proper risk analysis was also cited in HIPAA settlements from last year. The University of Washington Medicine (UWM) agreed to a HIPAA settlement for $750,000.

In that case, an email containing malicious malware reportedly compromised 90,000 individuals’ ePHI, according to OCR. Moreover, UWM “did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”

“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” Samuels said in a statement.

Top provider concerns include HIPAA compliance…

Read the FULL STORY on HealthIT Security


OnPage is The World’s Most Advanced Enterprise Priority Messaging Solution.

OnPage No Risk - FREE TRIAL
Download Your Free Trial Today!

Please follow and like us: