Meridian's Annual Technology Open House is Thursday, October 19.
Click here to learn more and register now!

we are hiring
The Meridian Blog: Tech News, Tips & More for SMB and Enterprise Environments

Five Best Practices to Avoid Common HIPAA Violations

JC Lee

Posted by JC Lee
Tue, Jun 06, 2017

Fines up to $1.5 million, loss of clients, and negative publicity are just some of the serious consequences of violating the 1996 Health Insurance Portability and Accountability Act (HIPAA).

The penalties for non-compliance are based on the level of negligence, and in some cases carry criminal charges that can result in jail sentences. HIPAA compliance is serious business, and when penalties are levied one of the main things taken into consideration is what, if any preventive steps were taken.

With that in mind, here are some basic best practices to implement regarding HIPAA compliance, including:

  1. Comprehension of the guidelines
  2. Training
  3. Guard against 3rd party disclosure
  4. Proper disposal methods
  5. Mobile device management

Read on to learn about each of these five best practices, and how you can implement them.

Copy of Strategy•Service•Support.png1. Ignorance is no excuse

First, know the laws and regulations encompassed within "HIPAA" currently being administered by the U.S. Department of Health and Human Services (HHS). The HIPAA security rule relates to electronic patient records, and keeping them safe from unauthorized access with external or internal storage and during transit.

Electronic patient records are usually stored on computer hard drives, disks, digital memory data, and networks. Each of these storage methods must remain HIPAA compliant.

Most HIPAA violations relating to the Security Rule’s Physical Safeguards deal with paper documents, human error and the loss or theft of a mobile device. At a minimum include safeguards such as encryption, patch management, anti-virus software, and a deep-packet inspection firewall to block any suspicious activities.

RELATED: Who Needs to be HIPAA Compliant?

2. Train Proactively

Compliance is an enterprise-wide responsibility. Conduct in-house training to educate all employees and answer questions about HIPAA privacy regulations. If you use HIPAA security software, make sure that your employees know how to use it.

For large organizations, this can be more easily done than for small-to-midsized businesses (SMBs). However, an SMB can partner with a managed services provider (MSP) to conduct training courses and seminars.

3. Guard Against Third-Party Disclosure

Improper disclosure of personal health information (PHI) to business associates, contractors, or other entities is a common cause of HIPAA violations. Some of the largest HIPAA data breaches reported to HHS have involved third parties.

Health care providers who are required to protect patients PHI are called covered entities (CE). Many CEs have business associates who in the course of doing business have access to PHI. It is the responsibility of both the CE and the third-party associate or contractor to be HIPAA compliant and guard against improper disclosure of personal health information.

RELATED: DC Healthcare Firms: Anthem Breach Illustrates Need for Data Security

4. Proper Disposal Methods

In the digital environment we now live in, information is much more difficult to destroy. Whether in paper form or digital, any PHI that is no longer needed has to be properly shredded or erased so that it cannot be accesses by anyone. Old hard drives and thumb drives should be physically disabled (smashed), and data on phones and other mobile devices must be wiped before they are released for business.

HIPAA violations can show up in surprising places like photocopiers. Affinity Health Plan Inc. was recently fined over $1.2 million after they returned photocopiers to a leasing company without properly erasing the hard drives.

5. Mobile Device Management

One of the most common causes of HIPAA violations is the improper storing and handling of PHI on mobile devices, both enterprise-issued and bring-your-own-devices (BYOD). Covered entities and their business associates are obligated to keep mobile devices containing PHI out of the wrong hands. Lost or stolen devices are the responsibility of the issuing party regardless of the cause. Though not inevitable, these events must be prepared for with proper password protection and encryption - both of which are addressed within HIPAA, and if audited a CE can be penalized before devices go missing.

RELATED: BYOD Environments Require a Mobile Device Management Security Framework

Almost half of all data breaches are the result of theft. When mobile devices such as smartphones, laptops, and tablets are unencrypted the risk of a data breach increases greatly. Recently, the Alaska Department of Health and Human Services was fined a total of $1.7 million after an unencrypted USB drive was stolen. In another case, Blue Cross Blue Shield of Tennessee was fined $1.5 million when 57 unencrypted hard drives were stolen.

RELATED: Why and When Email Encryption is Important for SMB Security

Its clear to see that HHS takes encryption of PHI very seriously - but this doesn't mean that PHI is the only thing that should be protected. Data encryption is a fundamental element in protecting any important information and should be implemented to protect all enterprise data as well.


Cybersecurity Tips for Employees CTA

JC Lee

JC Lee

JC Lee started working at Meridian as an intern in 2007. Today, she manages all of Meridian's internal and external communication and marketing programs. She is a University of Maryland aluma (Go Terps!), who loves writing, design, technology, traveling with her husband Logan, and her maltese named Bear.

Connect with me here:

Ready to Become a Pro?

 Our White Paper can help.

whitepaper-4-key-elements-for-building-your-technology-road-map-thumbnail-3Subscribe to our blog and get your copy of "4 Key Elements to Consider When Building Your Technology Road Map"

You'll learn:

  • What role people play in determining your road map
  • How to build a plan in a multi-device world
  • What types of applications need to be considered
  • How data plays a key role in success

 

Subscribe to get your copy

Leave A Comment

About this blog

News, best practices and more to help you get the most out of your office technology. Whether you're an SMB owner who wears a lot of hats, or an enterprise IT director, facilities manager or just someone who wants to work smarter — this blog has the resources you need to maximize the business impact of all your tech investments. Be sure to subscribe to receive email updates about new posts!

Download our eBook

 
DM_Workbook_Cover_Page.jpg

Download

Sort Posts by Topic

see all