Let's Face It: Patient Collection is Mission Critical
August 15, 2014
Ransomware is a Real Thing and It's Coming for YOU
February 4, 2017
10 Ways You May Be Violating HIPAA Security
November 7, 2014
HIPAA breaches seem to be popping up everywhere. Most are huge practices or companies that hackers target. But what about the small to mid-size provider? How are you complying with HIPAA Security? Can you afford a $50,000 penalty for one violation? Here are 10 ways you may be undercutting your efforts:
Still using Windows XP as your operating system. Microsoft no longer supports Windows XP and as a result, no longer issues security fixes. HIPAA does not mandate a specific operating system nor is a breech imminent with XP, however, HIPAA does require for any system with PHI to address protection from malicious software. Contact us for compatible alternatives.
Saving PHI to unencrypted local devices for portability or backup (i.e., laptops, backup tapes, thumb drives, etc). Leon Rodriguez of the Office for Civil Rights said “Every time there is a HIPAA breach penalty for a lost laptop or hard drive, the penalty would have been avoided if the data was encrypted.” Encryption software can be purchased, but a better alternative is not to save PHI onto local devices. Services such as Enveloc are excellent affordable encrypted data storage alternatives. Click here for more information on how Enveloc can work for you!
Using Dropbox to backup PHI. Dropbox is a popular storage service because it is easy to use and convenient. Backup and data sharing is very easy. Unfortunately, Dropbox is NOT HIPAA Compliant, nor does it claim to be. Enveloc is HIPAA Compliant and is affordable.
Using mobile devices or social media to communicate with or discuss patients. SMS text messaging is non-compliant regardless of whether it is with the patient or another provider. Discussing a patient’s case via social media which in any way identifies a patient (name, demographics, population, etc) can lead to trouble.
Sending PHI in an unencrypted email or using “free” emails to send emails with patient information. An email service is considered a Business Associate. Not all email services will sign a Business Associate Agreement which makes them ineligible for HIPAA-compliant communication.
No individual security logons/passwords or sharing logons/passwords. Anyone with access to PHI must use a unique user identification. User accounts and passwords should not be shared. MediSoft has customizable user log-in features which help control access to PHI.
Not reviewing Audit Logs. HIPAA Security requires that access to PHI be reviewed periodically. This can be done in MediSoft under the Reports section.
Not having HIPAA Security Policy and Procedures and not training staff on policies. HIPAA is flexible with the approach of how policies are designed so that they can be customized for each covered entity. Generally, policies include the organization’s expectation of staff compliance, assign responsibility for decision-making and define enforcement consequences for violations. Procedures describe how the organization carries out that approach with step-by-step instructions to implement the policy. All staff should be trained on the organization’s policies and procedures.
Not having a Business Associate Agreement with all third parties who have access to PHI via your practice. The 2013 HIPAA Omnibus regulation expanded the requirements for Business Associate arrangements, making third parties directly covered by HIPAA. Any third party you hire who has access to patient PHI is a Business Associate and as such, should have an updated Business Associate Agreement. Examples include billing services, transcriptionists, shredding services, data storage, consultants, etc. Each clinic should look through your accounts payable function to see what companies you pay for services to determine if any have access to PHI.
Not regularly performing a Risk Assessment. HIPAA requires the regular review of the administrative, physical and technical safeguards of a covered entity to help address vulnerabilities and potentially prevent breaches. HHS has a Risk Assessment Tool which can be downloaded here.