A number of healthcare professionals and businesses are susceptible to violating the Health Insurance Portability and Accountability Act (HIPAA) due to outright security failures and compliance oversights. Frequently, the same technology that makes it easier to obtain and share patient data can become a HIPAA security and compliance threat when not effectively used.
Healthcare providers could fall out of HIPAA compliance by not regulating the use of technology in their business. Unfortunately, many potential compliance failures are subject to exploitation by malicious criminals, including:
• Workers using their personal devices at home and work.
• Stakeholders not understanding how HIPAA applies to their business.
• A lack of ongoing training for staff.
• New technologies being improperly implemented.
While every threat is unique, they can each lead to HIPAA violations. Businesses have the option of working with professionals in different capacities — from consultants to all-encompassing managed service providers — to help stay HIPAA compliant.
What Is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. The law is organized under several sections, called “Titles.” The goals of HIPAA include:
• Protecting and handling protected health information (PHI)
• Facilitating the transfer of healthcare records to provide continued health coverage
• Reducing fraud within the healthcare system
• Creating standardized information on electronic billing and healthcare information
Staying compliant with HIPAA is an ongoing process for many healthcare professionals and companies.
What Is HIPAA Compliance?
Simply put, compliance with HIPAA can only occur when an entity implements controls and protections for any relevant Patient Health Information (PHI). To make this a reality, a healthcare company must review the entirety of HIPAA (privacy laws, omnibus, etc.) and make provisions to follow the regulations within their business. There are no shortcuts, and there are many potential pitfalls.
HIPAA And Health Information Technology
With the advent of electronic healthcare records (EHR), every healthcare company must pay attention to the intersection of health information and security. The HIPAA Security Rule outlines many of the requirements for physical safeguards, technological security and organizational standards necessary to maintain compliance.
Pro Tip: Just because you subscribe to a cloud-based EHR does not mean that you are HIPAA compliant. While the EHR itself might be compliant, many layers need to be looked at within your organization outside of the EHR.
Three major rules from the HIPAA Security Rule apply to technology:
• Any technology that stores PHI must automatically log out after a certain time to prevent access by someone without credentials.
• Anyone with access to PHI must have a unique login that can be audited based on their use.
• PHI must be encrypted.
New technology must be checked for its potential to violate these provisions, but the haste with which businesses implement new tech hinders the process. It is crucial to examine the possibility for new technology to be used to gain access to PHI. If a healthcare practice or business that holds PHI data cannot perform such an evaluation, it is worth working with MSPs to ensure compliance.
Associated Security Risks With New Technology
Unique threats emerge every time new technology is used in healthcare, which is often where businesses unwittingly create a vulnerability for their patients. Using technology or software before it has been examined for its security risks can lead to HIPAA violations by giving hackers access to an otherwise secure system.
Going back to our earlier examples of technological threats, organizations that have allowed their team to work from home or offer a bring your own device (BYOD) policy pose a security risk in the field of healthcare. Any time they are used to gather data from patients and interface with the healthcare provider’s EHR, these personal devices can become a security threat.
Medical professionals or patients who use personal devices at home and then on the secure channels in a healthcare setting can cause security breaches. Many healthcare providers have become comfortable using their personal devices in the professional environment. They will make calls, send documents, and exchange information on their smartphone. Once they leave the secure network of their building, that information can be leaked or hacked when the worker logs into a vulnerable Wi-Fi source.
These are not hypothetical situations either. HIPAA violations happen every day in this manner across the healthcare system.