The Health Insurance Portability and Accountability Act (HIPAA) of 1996 grants patients access rights to their health information while safeguarding their privacy. HIPAA imposes strict regulations on protected health information (PHI), and the federal government gives the law sharp teeth in the form of expensive fines and jail time.
To illustrate, the United States Department of Health and Human Services (HHS) imposed a $3.3 million fine upon New York-Presbyterian Hospital (NYP) for four HIPAA violations. The latter’s most egregious offense was the unauthorized disclosure of the electronic protected health information (ePHI) of 6,800 patients to search engines such as Google when a server that had access to NYP’s ePHI information systems was wrongly configured.
NYP paid the fine and agreed to comply with HHS’s corrective action plan to resolve all privacy issues. They did all this to avoid further investigation and civil litigation proceedings that can accrue additional costs and impede NYP from providing care to its patients.
NYP is but one among many others that suffered heavy penalties over the years. It is therefore wise for all healthcare organizations to learn from their costly and near-ruinous mistakes, which include the following:
Mistake #1: Assuming all cloud service providers are HIPAA-compliant
Cloud service providers all claim to have measures in place to prevent data breaches, but this doesn’t mean that their claim is true, or that their security measures are sufficient for conforming to HIPAA.
Cloud service providers that store, share, or transmit ePHI on behalf of healthcare organizations must sign business associate agreements (BAAs) as part of conforming to HIPAA conformance. A BAA is a written assurance or contract that states that business associates (i.e., third parties that provide services to healthcare organizations) “will not use or further disclose” PHI beyond the ways that are permitted and required as specified in the agreement. Therefore, cloud providers that are not willing to enter into BAAs, such as iCloud, cannot be used with any ePHI. In fact, in its terms and conditions, iCloud states that it cannot be used for storing or sharing ePHI, for doing so would violate HIPAA Rules.
Mistake #2: Assuming all aspects of HIPAA compliance fall on IT’s shoulders
Thinking that your IT department is solely responsible for implementing HIPAA is a big mistake. Everyone in your organization who handles PHI must be duly trained on HIPAA policies and protocols so as to avoid data breaches.
For instance, employees might not be aware that posting patient photos on Instagram and other social media is a HIPAA violation, even if names are not mentioned. Additionally, texting patient information such as test results may be expedient and seemingly harmless, but this actually exposes the information to skilled cybercriminals who can intercept SMSs. Employees must be trained to communicate via secure channels or be provided with text encryption programs to keep PHI safe from prying eyes.
Mistake #3: Leaving PHI unencrypted
Encrypting health information or making it unintelligible by other means is by far the best way to keep it safe from unauthorized disclosure. With proper encryption in place, lost USB drives or stolen laptops won’t necessarily expose patients’ sensitive information.
One way to keep PHI secure is via Microsoft Azure Information Protection, which allows you to manually label documents as PHI, or set guidelines that let the software recognize health data as PHI. You can then apply rules on PHI documents, such as requiring decryption keys for viewing them, and exclusively permitting individuals with clearance to forward files via email.
The use of mobile devices such as tablets among nurses and doctors is growing, but the portability of such equipment makes them easy to steal. An efficient way to implement both security and productivity on your mobile devices is via a mobile management cloud service such as Microsoft Intune. Intune enables healthcare professionals to use mobile devices to access and share crucial health data among themselves while helping them comply with HIPAA at the same time.
Mistake #4: Not getting insured for data breaches
Being 100% HIPAA compliant is imperative, but data breaches can still occur despite your best efforts to ward them off. Complaints brought against you by aggrieved patients and the investigations that ensue can result in hefty fines, so having insurance coverage for data breaches is wise. Premiums for such a policy are usually affordable and can mean million-dollar savings in the long run.
These four major mistakes in HIPAA compliance are avoidable. To help you conform to HIPAA rules while still maintaining a high level of healthcare service to your patients, talk to our expert consultants at Edward Technology.