The Health Insurance Portability and Accountability Act (HIPAA) was formed to standardize the ways patient health information (PHI) is protected. Healthcare providers and their IT partners, whether in-house or outsourced, should be knowledgeable about the key provisions of HIPAA. But that’s rarely the case for many healthcare organizations.
Over the years, there have been numerous incidents of healthcare data breaches, showing that many practices still need to improve their HIPAA IT certification measures. Nevertheless, being HIPAA compliant does not mean never experiencing a breach; rather, it denotes preparedness for breaches by complying with federally mandated privacy and security standards.
The truth is that there’s a long list of privacy and security rules to follow, and healthcare practitioners may find it difficult to achieve 100% compliance by themselves. The good news is that addressing the following common mistakes can make it significantly easier to achieve and reap the benefits of HIPAA compliance.
- Records Mishandling
It’s not highly unusual for doctors, nurses, and hospital staff to become complacent when using communication channels like SMS and social media. When they text or chat using mobile devices that contain electronic PHI (ePHI) yet don’t have encryption software, there is a risk of exposing private patient data to unauthorized or malicious entities.
To avoid this risk, healthcare practices and their IT team must enforce procedures for handling patient records, whether these are hard or soft copies of patient files. Any staff handling ePHI must undergo security training that includes topics on patient data confidentiality, proper usage of mobile devices and apps, and maintaining HIPAA compliance when exchanging data via social media and SMS.
- Failure to Implement Mobile Device Security
The IT teams of a hospital or a clinic may be able to consistently protect computers, servers, and network equipment at the workplace premises. But as working arrangements become more flexible, with some staff members working remotely more than usual, the company-issued or personal devices that they use when working remotely may not be as secure.
While accessing PHI on personal devices doesn’t automatically result in a HIPAA violation, it could lead to a breach when such personal devices get lost or stolen. This could result in huge fines for the organization, as in the case of wireless health services provider CardioNet. The company paid $2.5 million in fines when the laptop of one of its employees was stolen from a parked vehicle at the employee’s home.
To avoid such incidents, healthcare staff must be taught not to leave their devices unattended and to avoid working in places where anyone can see what’s on their screen, especially when they’re accessing PHI.
- Insufficient Cloud Data Storage Security
The HIPAA Security Rule includes stringent measures on protecting stored data, data backup and recovery, system availability, and accountability. Working with cloud security experts relieves healthcare practices of having to manage and secure their cloud storage systems. However, being HIPAA compliant entails following specific requirements pertaining to data storage practices, and some IT companies may not always take this into account when developing a cloud security strategy for their clients.
Although healthcare practices may choose a third-party cloud provider like Amazon Web Services, their IT team must ensure that cloud systems are fully aligned with HIPAA regulations. This shared responsibility guarantees that a company's HIPAA compliance measures are up to date.
- Failing to Consider State Laws
PHI is protected under both federal and state laws. HIPAA, which mandates the minimum level of protection on a national level, encompasses the protection of PHI under its Privacy Rule. Its rules may preempt state-specific laws, but exceptions apply in cases where state laws are stricter in terms of, for instance, preventing health records fraud.
Connecticut State has specific laws about assuring the confidential treatment of patients’ personal and medical records and prohibiting the sale of PHI. Failing to consider both federal and state laws when implementing IT security measures can lead to a HIPAA violation. This is why working with a local managed IT services provider (MSP) is highly beneficial; they are highly knowledgeable about data protection laws on both national and state levels. An MSP that’s well-versed with overlaps in HIPAA and state laws can determine whether statewide regulations supersede federal rules, and vice versa, and knows how to configure healthcare IT systems accordingly.
- Not Entering Into a HIPAA-compliant Business Associate Agreement
The HIPAA Omnibus Rule refers to business associates as entities that process, store, or transmit PHI. IT companies that handle HIPAA IT certification for organizations know this, and yet some providers still fail to enter into appropriate business associate agreements, which may result in a HIPAA violation.
Healthcare providers should work with an IT provider that’s experienced in handling HIPAA compliance. On the other hand, HIPAA IT certification experts must be able to identify problem areas in their clients’ HIPAA compliance systems and cybersecurity infrastructure. Ultimately, both healthcare practices and their IT partners must always keep in mind to enter into a HIPAA-compliant business associate agreement that ensures both parties remain HIPAA compliant.
Charles IT’s technology experts can perform a thorough assessment of your systems to make sure your practice remains compliant and free from liabilities. Talk to us about your HIPAA compliance challenges.
