Fines up to $1.5 million, loss of clients, and negative publicity are just some of the serious consequences of violating the 1996 Health Insurance Portability and Accountability Act (HIPAA).
The penalties for non-compliance are based on the level of negligence, and in some cases carry criminal charges that can result in jail sentences. HIPAA compliance is serious business, and when penalties are levied one of the main things taken into consideration is what, if any preventive steps were taken.
With that in mind, here are some basic best practices to implement regarding HIPAA compliance, including:
- Comprehension of the guidelines
- Guard against 3rd party disclosure
- Proper disposal methods
- Mobile device management
Read on to learn about each of these five best practices, and how you can implement them.
1. Ignorance is no excuse
First, know the laws and regulations encompassed within "HIPAA" currently being administered by the U.S. Department of Health and Human Services (HHS). The HIPAA security rule relates to electronic patient records, and keeping them safe from unauthorized access with external or internal storage and during transit.
Electronic patient records are usually stored on computer hard drives, disks, digital memory data, and networks. Each of these storage methods must remain HIPAA compliant.
Most HIPAA violations relating to the Security Rule’s Physical Safeguards deal with paper documents, human error and the loss or theft of a mobile device. At a minimum include safeguards such as encryption, patch management, anti-virus software, and a deep-packet inspection firewall to block any suspicious activities.
2. Train Proactively
Compliance is an enterprise-wide responsibility. Conduct in-house training to educate all employees and answer questions about HIPAA privacy regulations. If you use HIPAA security software, make sure that your employees know how to use it.
For large organizations, this can be more easily done than for small-to-midsized businesses (SMBs). However, an SMB can partner with a managed services provider (MSP) to conduct training courses and seminars.
3. Guard Against Third-Party Disclosure
Improper disclosure of personal health information (PHI) to business associates, contractors, or other entities is a common cause of HIPAA violations. Some of the largest HIPAA data breaches reported to HHS have involved third parties.
Health care providers who are required to protect patients PHI are called covered entities (CE). Many CEs have business associates who in the course of doing business have access to PHI. It is the responsibility of both the CE and the third-party associate or contractor to be HIPAA compliant and guard against improper disclosure of personal health information.
4. Proper Disposal Methods
In the digital environment we now live in, information is much more difficult to destroy. Whether in paper form or digital, any PHI that is no longer needed has to be properly shredded or erased so that it cannot be accesses by anyone. Old hard drives and thumb drives should be physically disabled (smashed), and data on phones and other mobile devices must be wiped before they are released for business.
HIPAA violations can show up in surprising places like photocopiers. Affinity Health Plan Inc. was recently fined over $1.2 million after they returned photocopiers to a leasing company without properly erasing the hard drives.
5. Mobile Device Management
One of the most common causes of HIPAA violations is the improper storing and handling of PHI on mobile devices, both enterprise-issued and bring-your-own-devices (BYOD). Covered entities and their business associates are obligated to keep mobile devices containing PHI out of the wrong hands. Lost or stolen devices are the responsibility of the issuing party regardless of the cause. Though not inevitable, these events must be prepared for with proper password protection and encryption - both of which are addressed within HIPAA, and if audited a CE can be penalized before devices go missing.
Almost half of all data breaches are the result of theft. When mobile devices such as smartphones, laptops, and tablets are unencrypted the risk of a data breach increases greatly. Recently, the Alaska Department of Health and Human Services was fined a total of $1.7 million after an unencrypted USB drive was stolen. In another case, Blue Cross Blue Shield of Tennessee was fined $1.5 million when 57 unencrypted hard drives were stolen.
Its clear to see that HHS takes encryption of PHI very seriously - but this doesn't mean that PHI is the only thing that should be protected. Data encryption is a fundamental element in protecting any important information and should be implemented to protect all enterprise data as well.