HIPAA compliance is an ongoing process. Do you have security and privacy policies and procedures for your organization? Do you review your policies and procedures periodically? Is your HIPAA training planned for new employees and to update everyone as necessary? Do you know where the gaps are in your data security and do you have a plan to address these gaps? Do your vendors and their staff follow a culture of privacy?
Our Managing director, Rema Deo has created a list of the top 6 HIPAA Violations 24By7Security staff have found, based on over 500 security risk assessments conducted by our security analysts for healthcare organizations ranging from one doctor practices to multi-location hospitals. This list of HIPAA violations comes complete with appropriate risk mitigation recommendations that can help you in your organization.
1. Lack of Business Associate Agreements (BAAs) with your vendors
Often healthcare organizations, especially the smaller to medium sized medical practices, fail to enter into Business Associate Agreements with their vendors or business associates. These vendors could range from a small IT vendor to large Electronic Health Record System (EHR). Sometimes, smaller practices use free insecure email and even use insecure email to share or communicate PHI. This puts them at unnecessary risk. Healthcare providers should also note that business associate agreements should be dated after the Omnibus Final Rule came into effect, i.e. after January 2013.
How can you mitigate this risk when it comes to Business Associate Agreements?
- Prevent this risk by getting HIPAA-compliant Business Associate Agreements signed with all your vendors or business associates who have access to PHI.
- Be sure to always use secure means of transmission of PHI, and enter into a Business Associate Agreement with the vendors who are providing this secure transmission. For example, secure email providers, external cloud storage solutions, EHR systems, and such providers usually have HIPAA-compliant service options where they provide business associate agreements.
COMPLIMENTARY VENDOR RISK ASSESSMENT WEBINAR
CLICK ON THE IMAGE ABOVE TO REGISTER NOW
2. Loss or theft of portable devices
Many covered entities take insufficient steps to safeguard PHI especially on thumb drives and other portable devices. The Office of Civil Rights (OCR) is clear that loss of PHI is not considered a breach if it is properly encrypted.
Mitigate your risk in case devices are lost or stolen
- Covered entities must ensure that their portable devices, thumb drives, laptops, computers and servers are all encrypted.
- Drives, storage devices and other portable devices storing PHI must be kept locked when not in use.
- Develop, implement and maintain an appropriate data backup policy. Ensure that backups are encrypted as well.
3. Failure to complete an enterprise-wide Risk Analysis
OCR has also often found that failure to complete an enterprise-wide risk analysis is a HIPAA violation, and they have levied significant penalties and fines on entities who could not show evidence of having completed an enterprise-wide risk analysis. The case of the large fine imposed on Anthem recently is an example of this. We mentioned this breach and the monumental price tag that came with it in our October Newsletter.
Mitigate your risk of fines in the event of an audit
- All areas of the enterprise should be covered with periodic, thorough enterprise-wide security risk analysis.
- The risk assessment or analysis should be repeated periodically and after any major changes. We recommend doing this annually as a best practice.
- Review your findings from the Risk Analysis and prepare an action plan with remediation plans and target dates.
4. Insufficient physical safeguards or keeping PHI unlocked or easily accessible
Paper files are often kept unlocked. This practice carries a risk of penalties if your data is breached.
Mitigate your risk of unauthorized PHI access
- We recommend keeping paper files with PHI locked
- IT closets/ network/ security/ server equipment should also be kept locked to prevent unauthorized access.
5. Lack of HIPAA security and privacy policies and procedures.
Often covered entities do not maintain and implement satisfactory HIPAA security and privacy policies and procedures. Or even if they have policies and procedures, not all of them review and update their policies and procedures periodically.
Mitigate your risk
- Take the time to prepare and maintain policies and procedures.
- Review these policies and procedures annually or after a major change.
- Ensure that employees are trained on your policies and procedures, and follow them.
6. Delays in reporting breaches as per the breach notification rule.
Breaches affecting more than 500 patients are required to be reported to the Department of Health and Human Services (HHS) within 60 days of being discovered. It’s bad enough to delay reporting to HHS, but covered entities may often not be aware of state-level breach notification requirements. Some states like Florida can be very strict with breach notification delays. Florida, under the Florida Information Protection Act, has 30-day breach notification requirements and other specific rules depending on the number of records breached. The fines are also drastic, an example being $1000 per day for every day late for the first 30 days and more stringent penalties after that. All 50 states have enacted laws regarding breach notification.
Mitigate your risk of penalties for failing to report breaches in a timely manner
- If you suffer a breach, be sure to take legal advice in terms of all the requirements in your industry and location.
- Ensure that you are aware and comply with your state or location specific breach reporting requirements in addition to federal HIPAA breach notification rules.
- Cyber Insurance can help mitigate some of the expenses of a breach, but take a close look at what is covered and what you need to be doing in order to maintain coverage.