Many organizations are transitioning from paper to digital information systems, such as client management, Electronic Health Record (EHR), and Computerized Physician Order Entry (CPOE) software. These types of systems enable providers to give higher quality health care to clients by allowing collaboration with colleagues and access to personal information from remote locations. Yet, the shift to digital records brings new risks to organizations that can compromise patient confidentiality and result in HIPAA compliance violations.
What HIPAA requirements do healthcare organizations need to follow?:
- Ensure the confidentiality, integrity, and availability of all electronically protected health information your organization creates, receives, maintains, or transmits.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance with your workforce.
What are the most common HIPAA compliance violations?:
According to YourDictionary.com, the most common HIPAA compliance violations include:
- Failure to follow the authorization expiration date: Clients can set a date when their authorization expires. An organization releasing confidential records after that date would be violating HIPAA rules.
- Failure to promptly release information to patients: According to HIPAA, a client has the right to receive electronic copies of medical records on demand.
- Improper disposal of patient records: Shredding is necessary before disposing of client records.
- Insider snooping: This refers to family members or co-workers looking into a person’s medical records without authorization.
- Missing patient signature: Any HIPAA forms without the client’s signature are invalid, so releasing the information would be a violation.
- Releasing information to an undesignated party: Only the exact person listed on the authorization form may receive client information.
- Releasing unauthorized health information: This refers to releasing a document the client did not approve for release. A client has the right to release only parts of their medical record.
- Releasing the wrong client’s information: Someone releases information to the wrong person through a careless mistake. This sometimes happens when two clients have the same or similar names.
- Right to revoke clause: Any forms a client signs need to have a Right to Revoke clause, or the form is invalid. Therefore, any information released to a third party would violate HIPAA compliance regulations.
- Unprotected storage of private health information: A good example of this is a laptop that thieves steal and then sell confidential information on it. Users who store confidential information electronically need to use a secure device. This applies to a laptop, thumbnail drive, or any other mobile device.
What are the consequences of not following HIPAA compliance standards?:
- Fines of at least $50,000, but could go into the millions
- Audits
- Imprisonment of up to a year
- Legal action from patients
How can your organization comply with HIPAA standards?:
- Implement written security policies and procedures: Your organization must set documented rules for acceptable use for accessing, storing, sharing, and protecting patient information. The employees that fail to follow this policy are subject to job loss and possible criminal prosecution.
- Employees must protect their office workspace: Your staff should monitor any computers, monitors, printers, and fax machines they use closely and shield confidential information from prying eyes. Log out from your computer when you step away from it and lock up workplace mobile devices when not in use.
- Get client consent before releasing personal information to third parties: First, your organization should make sure the client approves a document for release, typically with a signature. Once the client grants permission to share information with third parties, your organization should obey the official expiration date stated by the form. Finally, your organization should inform patients they can remove consent to access their confidential medical information.
- Use strong anti-virus/anti-malware software and update it regularly: Viruses and malware can invade your computer from suspicious websites, email attachments, and file downloads. If you are using free anti-virus software, this will not provide enough protection. We recommend using endpoint protection software, such as Symantec Endpoint Protection and Trend Micro Worry-Free Security Services. This software combines virus and malware protection, a firewall program, and web browser security.
- Create a backup and disaster recovery plan: SwiftTech strongly recommends backing up data to an onsite and offsite location. For example, Veeam Backup and Replication can archive your information to an onsite device dedicated to disaster recovery and offsite to a cloud storage provider, such as Windows or Amazon. If a disaster occurs, you can access your data from the cloud and continue your work on another device. Plus, the latest backup methods employ sophisticated methods of encryption so unauthorized individuals cannot access your confidential business data easily.
- Manage your passwords securely: Do not share passwords nor leave them on a piece of paper in your desk drawer. Consider a password service for managing your website login information. Imprivata OneSign Single Sign-On will create hard-to-crack passwords, store them, and automatically fill in your information when you go to the application of your choice.
- Encrypt sensitive organizational emails: McAfee SaaS Email Protection & Continuity will allow your organization to protect confidential outbound emails with gateway-to-gateway encryption. Also, McAfee SaaS Email Archiving will provide encrypted storage of old emails in the cloud.
- If using Windows XP, Vista, or 7, upgrade your operating system: Microsoft does not offer security updates to Windows XP, Vista, and 7. Unpatched operating systems leave computers vulnerable to malware that can damage, leak, or even delete patient data. Your organization should update computer operating systems to Windows 10 to ensure continued security updates.
SwiftTech Solutions can help your organization follow HIPAA compliance data protection standards. Our IT consultants can help your organization with weekly HIPAA preparation audits, O.S. vulnerability inspections, external intrusion testing, and more. You can call 877-794-3811 or email info@swifttechsolutions.com for a free analysis.
SOURCES
YourDictionary.com. Examples of HIPAA Violations. Retrieved from: http://examples.yourdictionary.com/examples-of-hipaa-violations.html
Wlodarz, D. 5 big myths surrounding computer security and HIPAA compliance. (2013, September). Retrieved from: http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/
Kibbe, D. Ten Steps to HIPAA Security Compliance. (2005, April 12). Retrieved from: http://www.aafp.org/fpm/2005/0400/p43.html#
American Medical Association. HIPAA Violations and Enforcement. Retrieved from: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page?
Imprivata. Authentication Management. Retrieved from: http://www.imprivata.com/products-solutions/authentication-access-management/authentication-management