Healthcare organizations are investing in innovative service models such as telemedicine, advanced patient portals and so on, also ensuring security in all these initiatives. Health systems typically store and process multiple kinds of data ranging from images and emails to medical records and payment information. With the help of data conversion services, this healthcare data, which is subject to HIPAA and other privacy mandates, is converted into digital format and stored on multiple devices, runs on multiple user devices in multiple places. Digital transformation is inevitable and to become a part of the digital age, security practices to ensure data protection are also crucial for healthcare services.
Being HIPAA compliant
HIPAA (Health Insurance Portability and Accountability Act) is a key element that healthcare organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. Although it is a stringent regulation, many have pointed out the loopholes in it. So here is the updated HIPAA regulation that is ready for the near future.
The Department of Health and Human Service Office and Human Service Office for Civil Rights will make sure that its enforcement efforts are very strong and continue to target those organizations that fail to meet the requirements. Troy Young, Advanced MD’s Security Officer and Vice President of Engineering, told HealthITSecurity.com that research regarding OCR (Office for Civil Rights) audits found that there is a stark contrast between the number of OCR complaints, and the organizations that actually get penalized. During the period 2013 to 2018, OCR conducted more than 200,000 audits and only 55 resulted in resolution agreement. For 26,000 audited, OCR told the organizations there needed to be required changes, but there was no penalty.
The recent OCR settlement was with Cottage Health for $3 million after the California-based provider faced several breaches. The enforcement had to be made because the provider failed to conduct an accurate and comprehensive evaluation of the potential risks and vulnerabilities of it ePHI confidentiality and integrity. On the other hand, OCR settlement with Pagosa Springs Medical Center for $111,000 stemmed from their failure to terminate a former employee’s access to patient data and failure to obtain a business associate agreement.
So, keeping these incidents in mind and the rising breaches in the healthcare industry, HIPAA is a serious consideration for all healthcare entities.
As per Young, since there is lack of agency staffs, audits are conducted only when there is any security event. Here are the five things that trigger some of those events:
- Human error: It is one of the most common reasons that trigger an audit. Human errors include opening a phishing email, using a weak password, or an employee using the wrong email address when sending PHI.
- Use of outdated software: Using outdated software, especially Windows, can lead to malware and ransomware attacks.
- Wrongdoings: Wrongdoings of insiders, like misuse of data by the employees is another trigger.
- Lost or stolen devices: Lost or stolen device is one of the most common and most reported offences. If these devices fall into the wrong hands, then the data can be misused if the data is not encrypted. If employees take their device with encrypted data outside the healthcare organization and lose it, then those organizations are safe as the data is encrypted.
- Lack of training for your staffs: This point is a continuation of the previous point. When a laptop gets lost and if the data in it is not encrypted, then it shows that the employees are not given proper training. The OCR can easily identify that the organization has not provided adequate training to their staff, or find that they do not have any business associate agreements.
How to Prepare for Your Audit
It is always best to avoid an audit but it is important to be prepared for it. According to Young, the first and foremost step is to bring the key people of your organization together at least once a month to read through the seventh chapter of the “Office of the National Coordinator’s Guide to Privacy and Security.” It focuses on some of the steps that you should consider to ensure that you are in compliance. The following are the key elements of “Office of the National Coordinator’s Guide to Privacy and Security.”
- Appoint a Security Officer: Organizations always need a responsible person to take care of the security of healthcare data. Young found that consultants can fill security gaps for providers who have shortage or lack of funding a full-time security officer. The security leader should be tasked with developing security policies and procedures within the practice and also ensure that they are compliant with HIPAA. They must also ensure the privacy and safety of documents. Another important thing is that the officer must train all the employees, from clinicians to house staff, and they should be aware of all the policies and processes of the hospital and HIPAA.
- Security Risk Analysis: Security analysis is very important and if you don’t have one in place then OCR will dock the organization.
- Business Associate Agreements: This agreement ensures HIPAA compliance. Having a Business Associate Agreement with the vendor will ensure that they handle the health information carefully.
- Risk Management Plan: In this plan, the organization identifies the problem areas and creates an action plan for precisely on how they will rectify the problem areas. Organizations must understand that the plan is not just a one-time plan. Organizations must conduct the analysis and management plan on a yearly basis, to find out whether new risks have been identified and enhance the risk management plan to address those issues.
- Routine HIPAA Training: This is one of the most important steps that everyone should keep in mind. This helps organizations solve many of their problems like the right to access their own data. HIPAA training also helps prevent things that can trigger an audit.
Advanced security technologies provide corporate health benefits and if you are deploying new systems it is important to be thorough with them in order to avoid unnecessary risk. Healthcare organizations can earn the trust of patients, employees and partners by implementing compliant strategies and technologies to help meet HIPAA challenges while balancing paper records and digital documents. Take your own time to understand core security features like cloud, virtualization, big data, storage, encryption, and so on. When tying up with external agencies such as professional data conversion companies, it is vital to check whether they have robust security measures in place. If healthcare organizations have problems with security programs then they can always consider the support of a third party vendor. Work with them to ensure good data hygiene, educate your staff regarding the importance of data security, and involve your entire organization in the process of ensuring it.