Three HIPAA Compliance Actions You Should Take Right Now

Kelsey CreehanFeatured News

By Robert McDermott
From the Spring 2019 Journal of the Colorado Dental Association

Most providers know HIPAA places certain standards on practices to keep patient data safe, and failure to comply with these safeguards results in corrective actions and large fines. Just one compromised medical record can cost a practice $50,000.[1] There are three direct steps you can take now to reduce the risk your practice will be fined and publicized as a HIPAA violator.

HIPAA 101
First, a quick review: HIPAA (or the Health Insurance Portability and Accountability Act of 1996) was designed to safeguard the Protected Health Information (PHI) of patients. The continued goal is to keep patients’ PHI absolutely private, safe from data thieves and data loss.

HIPAA requires providers to ensure the secure storage and transmission of patient information in order to promote the best care and privacy possible.

The HIPAA Conundrum
Many providers focused on running their practices have not had the opportunity to sort through HIPAA regulations with the fine-toothed attention required to achieve compliance. They also have long-held workflows reliant on non-compliant technology and record systems. The perceived cost, both financially and functionally, of achieving HIPAA compliance can seem daunting, so there are many practices who take the heavy risk of continuing business as usual.

Actions You Should Take Now
There are a few immediate actions you can take now to move toward HIPAA compliance with minimal upfront cost or interruption in workflow.

  1. Move your data to the cloud
    If you rely on an onsite server to store your patient data—or if someone from your team is carrying a backup hard drive to and from the office every day—moving your data to the cloud is one of the most immediate ways to save money, time and worry. 

When your data is in the cloud, it’s stored at multiple high-security data centers. Because it’s backed up at more than one center, no single disaster (such as a fire or flood) can wipe out your patient data. More importantly, you won’t need a backup hard drive that may end up in the hands of data thieves.

Consider what happened at Washington State University in 2017. According to the HIPAA Journal[2], a hard drive containing the identifiable information of more than one million research participants, including social security numbers, was stolen despite being locked in a safe (also stolen). The estimated cost of the breach was $245 for each exposed record. That’s one expensive hard drive.

Not only does storage in the cloud protect your data, it can improve the efficiency of your practice. When you move to a cloud-based Electronic Health Record (EHR) system, you’re not bound by the size or space constraints of having a server tower live at your practice. You can even access patient data from other locations via your laptop or smartphone.

Using the cloud to store and back up your data is actually very cost efficient as well, often far less expensive than traditional backup systems.

  1. Stop sharing PHI via Gmail, Yahoo! or Outlook
    A huge portion of HIPAA violations, resulting in the largest fines, stem from attacks on non-secure emails containing PHI. These hacking and phishing attacks on emails are so frequent and successful because:
  • data thieves can execute them remotely, so they’re harder to track down.
  • when undiscovered, hacking/phishing can go on in perpetuity, continually mining PHI and increasing the inevitable HIPAA penalties.
  • many email services that claim to be HIPAA compliant are not actually compliant unless used in a very narrow, unrealistic way. Data thieves rely on this false sense of security.

In 2018, Anthem, Inc., a nationwide health benefits company, paid $16M[3] to the federal government after falling victim to the largest U.S. health data breach in history. The cyber criminals made off with the PHI of almost 79 million individuals, from names and social security numbers to medical ID numbers and employment information.

How did this happen? The “cyber-attackers had infiltrated their system through spear phishing emails” and “at least one employee responded to the malicious email and opened the door to further attacks.”[4]

First, educate your team to never click on links or respond to emails that seem even vaguely suspicious or unsolicited. And, never, ever, send PHI through Gmail, Yahoo! or Outlook, etc. as it is very easy to unwittingly commit a HIPAA violation through these and other popular services.

Second, your email service has to fulfill five federal technical safeguards to actually be HIPAA-compliant:

  • Transmission security: messages and attachments must be encrypted
  • Authentication: verifies that the people seeking access to ePHI are who they say they are
  • Access control: logins must be secure, and an auto-logoff implemented
  • Audit control: an audit trail of all messages must be available for at least six years
  • Integrity: all data must be backed up securely with redundancy

Does your email fulfill all five? If it falls short of even one safeguard—that’s a violation of the law. Take the key step of adopting a fully HIPAA-compliant email right away.

  1. Conduct a Risk Analysis to See Where Else Your Practice is Compromised
    Moving to a secure cloud-based EHR service and fully HIPAA-compliant email are guaranteed solutions against a huge number of electronic HIPAA violations.

However, there are more steps to take to be fully protected, and the process gets a little trickier here. As every practice functions differently, there is no one-size-fits-all solution for perfect compliance on every level (including human error). Everything from the angle of a computer monitor, failure to log out of secure portals when away the from desk, unlocked doors and data stored unwittingly on the hard drive within a fax machine can result in possible HIPAA violations. Did you know that many fax machines indefinitely store copies of everything they receive/transmit? That makes a fax machine a major liability.

Knowing every in and out of HIPAA law takes time and study. Upfront costs may apply to achieve this, but one thing is certain: achieving compliance now will cost you far less than a HIPAA settlement.

 

Robert McDermott is the president and CEO of iCoreConnect. Contact them at 888-810-7706, or visit iCoreConnect.com or HHS.gov. iCoreExchange is endorsed by the Colorado Dental Association and meets or exceeds the government’s five technical safeguard laws for HIPAA compliance.

[1] https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

[2] https://www.hipaajournal.com/hard-drive-theft-sees-data-1-million-individuals-exposed-8859/

[3] https://www.hhs.gov/sites/default/files/anthem-ra-cap.pdf

[4] https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html