Every physician's office must adhere to HIPAA regulations. It is highly costly to not comply with HIPAA as fines range from $100 to over $4 million for violations. HIPAA compliance, however, isn't that straightforward. To avoid accidentally accruing millions in penalties, you should always stay up-to-date on the latest regulations. A violation of HIPAA occurs when patient health information is acquired, accessed, used, or disclosed in a way that poses a significant risk to the patient.
HIPAA Violations Most Commonly Committed:
1) Insufficient encryption
You need to ensure that your PHI is encrypted to prevent it from falling into the wrong hands. In addition to all the other best practices, this adds another layer of security - even in a breach, hackers would be unable to access the data without the private key. Using encrypted messaging applications is also recommended for hospital staff.
2) Getting hacked or scammed
Hacking is not something that anyone expects to happen. Even though you hear of security breaches & hacking incidents on TV, you don't think anyone would personally attack you. But hackers are genuine threats. HIPAA violations were linked to over 25 hacking incidents in 2018, and each incident was ransomware-related.
3) Access by Unauthorized Personnel
It is a widespread HIPAA violation to find employees accessing information they're not authorized to see. The information is still a violation, even if they're accessing it to satisfy a curiosity. They could be subject to a fine as well as a data breach. In the worst-case scenario, you may find your employees selling PHI for their gain.
4) Devices lost or stolen
Lost company devices are a leading cause of HIPAA violations. Lifespan released a news release in 2017 mentioning that a theft had occurred in an employee vehicle. Over 20,000 patients' private information wasn't encrypted, and the device wasn't password-protected. While it is impossible to be 100% certain your devices will not be stolen, encryption to secure the data can help avoid information leaks. In addition, it won't be possible for thieves to steal the device unless the PHI is encrypted.
5) Sharing Information
A need-to-know basis should be established for any confidential information, including PHI. The sharing of cases with colleagues may appear harmless, resulting in information leaks or lawsuits. Using social engineering methods to hack a system is standard practice. In other words, hackers may try to trick employees rather than directly hack into computers.
6) Accessing sensitive information from an unsecured location
Most clinicians access protected health information on their personal computers after hours. Despite appearing harmless at first glance, this can have catastrophic consequences. If their family member sees a document containing confidential patient information left open on the clinician's computer. Malware is accidentally downloaded onto the computer by a family member, and a hacker then steals PHI from the computer. These are a couple of ways sensitive information can be obtained.
Conclusion
As employees, it is their moral responsibility to ensure that coworkers who may not have the same access rights to health information are not given access to this information. In addition, login credentials shared by employees could result in an impermissible disclosure of ePHI and any actions taken by those employees attributable to the individuals whose login credentials were used.
We can help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.