Over the past few years, we have seen millions of dollars in fines due to HIPAA violations. It’s no wonder that HIPAA is often seen as the “Big Bad Wolf” of government oversight in the healthcare industry. Here to blow down profits and destroy practices with stiff regulations. But in fact, HIPAA is more like Arnold Schwarzenegger in the Terminator. Here to protect your practice so you can protect and serve all humanity.
As a healthcare provider, it is your responsibility to help your patients. That also includes protecting their personal information. In the past, that meant keeping a secret. Unfortunately, keeping that secret in today’s digital world is a lot more complicated. HIPAA gives you a framework to help you do that.
Here are 7 of the most common security items missed by organizations.
Issue #1: Incomplete Risk Analysis
- Regulation: 45 CFR §164.308(a)(1)(ii)(A) – “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information….”
Many organizations fail to do a complete analysis if they even do one at all. This is hands down the most important item that gets overlooked. Look at it this way, you cannot protect everything if you don’t know where or what everything is.
Issue #2: Failure to Manage Identified Risk
- Regulation: 45 CFR §164.308(a)(1)(ii)(B) – “…security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule].”
This should go without saying, but if you identify risks and create a plan to address them, you actually have to do it. You will fail a HIPAA investigation if you don’t do what you outline in your Risk Management Plan. You will also fail if you do not do it in a reasonable amount of time.
Issue #3: Disclosure Without Permission
- Regulation: 45 CFR §164.502(a) – “Covered Entities or Business Associates may not use or disclose PHI except as permitted or required.”
On the surface, this one seems to be pretty straightforward. But this has been a stumbling block for many organizations. Two examples of actual violations include:
- Filming individuals in your facility without getting their permission first. Even if they are only in the background.
- Publishing identifiable information on social media or on your website without authorization. This includes testimonials and pictures of happy patients.
Issue #4: Lack of Appropriate Auditing
- Regulation: 45 CFR §164.308(a)(1)(ii)(D) – “regularly review records of information system activity, such as audit logs, access reports, and security incident reports.”
Most organizations take the step to put hardware or software in place to do the auditing. The problem is that they don’t actually review the information for suspicious activity. Things like:
- Accessing patient files during non-business hours
- Accessing an unusually high volume of patient files
- Unauthorized access to employee files
Issue #5: Bad Internal Processes
- Regulation: 45 CFR §164.308(a)(3) – “Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.”
You need to have a process to control who has access to patient files. An employee with unauthorized access to medical records is a violation. It is also required that you immediately remove access for former employees.
Issue #6: Failure to Have Business Associate Agreements (BAA)
- Regulation: 45 CFR §164.308(b) – HIPAA requires that covered entities enter into agreements with their business associates to ensure they will appropriately safeguard protected health information.
Most organizations don’t understand who counts as a Business Associate. This is why they fail this part of a HIPAA investigation. Here are a few examples of potential Business Associates:
- A collection agency providing debt collection which involves access to patient files.
- An independent medical transcription service provider.
- An IT service provider with access to the hardware that patient files are on.
- Any subcontractor of a vendor that will have access to your systems that store patient files.
Issue #7: Inadequate Backup and Contingency Plan
- Regulation: 45 CFR §164.308(a)(7) – “Organizations must ensure that adequate contingency plans (including data backup and disaster recovery) are in place and would be effective when implemented in the event of an actual disaster or emergency situation.”
Having backups of your data is not the same as having a documented contingency plan. You need to outline how you will continue to operate in the event of an emergency. Here are some things you should consider:
- What do you do if there is no internet access?
- How do you recover from a natural disaster (i.e. fire, flood, tornado, etc.)?
- How do you address a ransomware infection?
- How do you reschedule patients if you don’t have phone service or power?
Here is a BONUS one for you that goes along with number 7.
Issue #8: No Testing of Contingency Plans
- Regulation: 45 CFR §164.308(a)(7)(ii)(D) – “As reasonable and appropriate, organizations must periodically test their contingency plans and revise such plans as necessary when the results of the contingency exercise identify deficiencies.”
You should review and test your contingency plans at least once a year. This will ensure that your staff can execute the plan should the need arise. Having a plan is useless if you don’t make sure the plan works.
This is a small sample of the common issues we have seen organizations struggle with. Rather than trying to fight HIPAA, we propose that you use it to create a strong cybersecurity plan. A plan that is designed to adapt to the evolving threats and changes within your business.
HIPAA compliance can be an intimidating goal for a practice. Figuring out where to start, what is required, and how much it’s going to cost are just a few of the things that practices wrestle with.
But unfortunately, this is not something you can take lightly. Your security measures have to win every time, the attacker only has to win once.
Simple Plan IT takes all of the guesswork out of HIPAA compliance. Our Cyber Secure service was created by our in-house team consisting of 2 Certified Information Systems Security Professionals (CISSP), a Certified Ethical Hacker (CEH), and is supported by certified Project Management Professionals (PMP). Our service starts with a detailed risk analysis. We then address everything needed to become and maintain your HIPAA compliance. That includes all of the ongoing documentation that is required by HIPAA.
For those that are serious about cybersecurity, we’re able to do real-time monitoring with near real-time remediation. Dedicated engineers in our private Security Operations Center (SOC) will watch your network in real-time. They will be looking for events that require more investigation, documentation, and remediation. Should an event occur, they will immediately execute upon a predetermined plan.
If you’re missing any of these examples or question whether your current strategy is adequate, we encourage you to give us a call. Our certified security experts can assist you in developing a plan that is right for you.
Thank you for your time and we look forward to helping you in the future.