Most providers know HIPAA places certain standards on practices to keep patient data safe—and that failure to meet them results in corrective actions and large fines. (Just one compromised medical record can cost a practice $50,000.)1
In case you need a quick reminder, HIPAA (Health Insurance Portability and Accountability Act of 1996) was designed to safeguard the Protected Health Information (PHI) of patients from data thieves and data loss.
It requires providers to ensure the secure storage and transmission of patient information.
But many are focused on running their practices, and haven’t sorted through HIPAA regulations with the fine-toothed attention required to achieve compliance. They often have long-held workflows reliant on non-compliant technology and record systems.
The perceived cost—financial and functional—of achieving HIPAA compliance can seem daunting, so many practices take the heavy risk of continuing business as usual.
What you might not know is there are a few immediate actions you can take to move toward HIPAA compliance with minimal upfront cost or interruption in workflow.
Here are steps you can take now to reduce the risk your practice will be fined and publicized as a HIPAA violator.
1. Move your data to the cloud.
If you rely on an on-site server to store all your patient data, or if someone from your team is carrying a backup hard drive to and from the office every day, moving your data to the cloud is one of the most immediate ways to save money, time and worry.
When your data is in the cloud, it’s stored at multiple high-security data centers. Because it’s backed up at more than one center, no single disaster (such as a fire or flood) can wipe out your patient data. Importantly, you won’t need a backup hard drive that may end up in the hands of data thieves.
Consider what happened at Washington State University in 2017. According to the HIPAA Journal,2 a hard drive containing identifiable information (including social security numbers) of more than 1 million research participants was stolen, despite being locked in a safe (also stolen). The estimated cost of the breach was $245 for each exposed record. That’s one expensive hard drive.
Not only does storage in the cloud protect your data, it can improve the efficiency of your practice. When you move to a cloud-based Electronic Health Record (EHR) system, you’re not bound by the size or space constraints of having a server tower live at your practice. You can even access patient data from other locations via your laptop or smartphone.
Using the cloud to store and back up your data is also very cost efficient—often far less expensive than traditional backup systems.
2. Stop sharing PHI via Gmail, Yahoo! or Outlook
A huge portion of HIPAA violations resulting in the largest fines stem from hacking and phishing attacks on non-secure emails containing PHI. These attacks on emails are so frequent and successful because:
- Data thieves can execute them remotely, so they’re harder to track down.
- When undiscovered, hacking/phishing can go on in perpetuity, continually mining PHI and increasing the inevitable HIPAA penalties.
- Many email services that claim to be HIPAA compliant are actually not, unless used in a very narrow, unrealistic way. Data thieves rely on the false sense of security these services foster.
In 2018, Anthem, Inc., a nationwide health benefits company, paid $16 million3 to the federal government after falling victim to the largest U.S. health data breach in history. The cyber criminals made off with the PHI of almost 79 million individuals, from names and social security numbers to medical ID numbers and employment information.
How did this happen? The “cyber-attackers had infiltrated their system through spear phishing emails” [which involves sending emails appearing to be from a trusted sender] and “at least one employee responded to the malicious email and opened the door to further attacks.”4
Here’s how to avoid falling victim to hacking and phishing attacks.
First, educate your team to never click on links or respond to emails that seem even vaguely suspicious or unsolicited.
And, never send PHI through Gmail, Yahoo! or Outlook, etc. as it’s very easy to unwittingly commit a HIPAA violation through these and other popular services.
Second, your email service has to fulfill five federal technical safeguards to actually be HIPAA-compliant. Here are the safeguards, and what they mean.
- Transmission security: Messages and attachments must be encrypted.
- Authentication: Verifies that the people seeking access to ePHI are who they say they are.
- Access control: Logins must be secure, and an auto-logoff implemented.
- Audit control: An audit trail of all messages must be available for at least six years.
- Integrity: All data must be backed up securely with redundancy.
Does your email fulfill all five? If it falls short of even one safeguard, you’re in violation of the law. Take the key step of adopting a fully HIPAA-compliant email immediately.
3. Conduct a risk analysis to see where else your practice is compromised.
Moving to a secure cloud-based EHR service and fully HIPAA-compliant email are guaranteed solutions against a huge number of electronic HIPAA violations.
However, there are more steps to take to be fully protected, and the process gets a little trickier here. As every practice functions differently, there is no one-size-fits-all solution for perfect compliance.
Everything from the angle of a computer monitor to human error; like failure to log out of secure portals when away from the desk, unlocked doors; and data stored unwittingly on the hard drive in a fax machine, can result in possible HIPAA violations. (Did you know that many fax machines indefinitely store copies of everything they receive and transmit? That makes a fax machine a major liability.)
Knowing every in and out of HIPAA law takes time and study. That’s why you should invest in a qualified professional to come to your practice and assess every aspect of how PHI is handled and stored there. He or she will offer solutions to correct practice activities putting PHI at risk.
Upfront costs for these services vary, but one thing is certain: achieving compliance now will cost you far less than a HIPAA settlement.
1https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
2https://www.hipaajournal.com/hard-drive-theft-sees-data-1-million-individuals-exposed-8859/
3https://www.hhs.gov/sites/default/files/anthem-ra-cap.pdf
4https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html