HIPAA Compliance Checklist – Pitfalls to Avoid
For a healthcare organization to be HIPAA compliant it needs to ensure that the right controls are in place to protect the privacy of patient information. This means that controls are provided to ensure that sensitive patient information is not left visible to non-relevant parties and that the exchange of information between practitioners follows HIPAA standards of encryption and access control.
While these standards seem straight forward, it is important to note that HIPAA was established before cyber security threats became the issue they are today. Cyber security threats continue to plague hospitals and expose them to HIPAA fines. Perhaps the best way for institutions to protect themselves from attacks and gain the upper hand against would be attackers is to maintain constant vigilance.
The cost of failing to maintain vigilance is substantial. HIPAA violations can result in substantial fines to a practice ranging from $100 to $1.5 million. Indeed, in 2016 Hollywood Presbyterian Medical Center (HPMC) had to pay $17,000 after a ransomware attack, which encrypted its EHR and demanded the sum of money in exchange for the encryption key.
This ebook will look to highlight 5 points that healthcare organizations can embrace to improve their chances of remaining HIPAA compliant and vigilant about network security. Healthcare organizations work to improve their ability to thwart attackers and defend themselves against intrusions by attackers. By starting with some straight forward actions , healthcare organizations will dramatically improve their protection against threats and hacks.
HIPAA Compliance Checklist – Pitfalls to Avoid #1 : Texting of patient information
Texting patient information such as test results or images is an easy way that providers can relay information to their colleagues quickly. While it may seem harmless, it potentially places patient data in the hands of cyber criminals who could easily access this information. Additionally, using standard texting capabilities on a smartphone constitutes a major HIPAA violation.
In 2014, a medical resident treating a North Carolina nursing home patient asked a nurse to text the lab results. As a result, the facility ended up paying a high price for using this inherently insecure messaging medium. The Centers for Medicare & Medicaid Services (CMS) gave the nursing facility an “e-level deficiency,” meaning there was “no actual harm but potential for more than minimal harm
While the case of the facility in North Carolina did not enable sensitive information to end up in the hands of criminals, it does demonstrate the ease with which a HIPAA violation can be incurred.
HIPAA Compliance Checklist – Pitfalls to Avoid #2 : Inability to wipe lost or stolen devices
Accellion reported that 68% of healthcare security breaches were due to the loss or theft of personal mobile devices or files. Indeed, mobile devices are the most vulnerable to theft because of their size.
The impact of this theft should not be minimized as theft of PHI (protected health information) through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information can result in HIPAA fines.
By not having a procedure in place to remotely wipe a smartphone of relevant patient information, hospitals are placing themselves at serious risk. As noted, loss or theft are more common than institutions would like. As such, they cannot ignore the need to have procedures in place to manage the situation effectively.
Necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information. Ideally, the smartphone devices that practitioners are exchanging patient information on will provide administrators with the proper technology to wipe the smartphones if lost or stolen.
To read the rest of the pitfalls read our e-book