HIPAA compliance continues to be a real challenge for small and mid-sized businesses.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act, which has specific rules and regulations around a patient’s health information.
Larger healthcare organizations – hospitals and insurance companies – have in-house information technology teams, but smaller businesses don’t have the same depth of IT help on hand. Yet, they must abide by the same rules.
Risking a HIPAA violation can be costly. Fines reach up to $50,000 US dollars per occurrence.
Common violations include:
Keeping records unsecured. WellPoint didn’t secure an online health database and paid $1.7 million.
Not encrypting data. The Massachusetts Eye and Ear Infirmary failed to encrypt physicians’ laptops, which led to a $1.5 million fine.
Loss or theft of devices containing personal health information (PHI). A pediatric practice in Massachusetts lost a flash drive and settled for a $150,000 fine.
Failing to train employees in HIPAA compliance. A Walgreens in Indiana breached a single patient’s privacy and paid her $1.44 million.
Records were improperly disposed of. Affinity Health Plan paid $1.2 million after failing to erase the photocopier drives before returning them to the leasing company.
They were releasing information without authorization. Phoenix Cardiac Surgery posted a patient’s appointment on an online calendar and paid $100,000.
Disclosing PHI to third parties who do not have access rights. A medical practice in Phoenix sent patient data over insecure email and was fined $100,000.
Tips for HIPAA Compliance
Be aware of HIPAA requirements. Smaller businesses can have a tougher time remaining up to date on technology and guidelines, but that doesn’t make them any less accountable for understanding HIPAA compliance. It’s important to do the research and get educated or partner with an IT provider with the expertise to prevent possible violations.
Embrace encryption. Encryption and firewalls are necessary if your business deals with confidential information. They prevent outside traffic from accessing your systems and ensure data can’t be read if there is unauthorized access. If encryption is used, the HIPAA penalties are reduced if there is a breach or a lost or stolen device.
Protect all your endpoints. Mobile devices that have access to patient data need to be secured. With mobile device management, you can lock down and wipe lost or stolen devices.
Err on the side of caution. Employees gossiping over coffee in a dentist’s office could share patient information, or someone might be sending an email with unencrypted data or a health announcement with recipient names visible. All these are HIPAA violations. Humans will make mistakes, yes, but it’s less likely if you educate about regulations and the importance of being careful.
Get a HIPAA Check-Up
HIPAA has existed since 1996. In 2005, regulators became more severe about electronic versions of PHI. Yet, some businesses still have only a vague idea of what it means to be compliant.
Heavy hitters in healthcare already take HIPAA seriously. You should, too. So, you haven’t been audited yet, but that doesn’t mean you won’t be. A $50,000 HIPAA fine could make your business stay afloat another year.
HIPAA compliance and set policies and procedures are critical for many organizations. Put in place security awareness training. Start using encryption and assess for risks. Be proactive with your IT management. By working with IT experts, you can stay compliant with HIPAA. A managed services provider can assess risk, identify improvement areas, and propose new tech.
Call us at (786) 233-2002 to get your IT and access management policies healthy.
Comments