As more confidential information is becoming digital and accessible, data breaches become more common and more threatening. In order to help protect against protected health information fraud and abuse, HIPAA policies were created to require a baseline of security integrity.
HIPAA’s security rules are enforced through regulatory audits that help identify holes in an organization’s security. These violations can lead to severe consequences with fines up to $1.5 million per violation and potential criminal charges to the negligent facilities, managers and employees. In addition to the punishments, the organization may have to announce the breach to the media.
Organizations can learn from Anthem Inc’s 2015 HIPAA violation settlement of $16 million after audits learned 78.8 million people had their information stolen by cybercriminals. Anthem Inc. is America’s second largest health insurer and yet cybercriminals found their way into the organization’s network through successful email phishing attempts.
No organization wants to face a HIPAA violation. So, it’s best to avoid the common data compliance mistakes. Here are some common data compliance mistakes that could cost your healthcare organization in HIPAA violations.
1. Irregular Access Analysis of the Organization
Some common HIPAA compliance violations could be avoided if an organization performed regular risk analysis of their protected health information (PHI). Organizations that rely solely on their HIPAA compliance audits to find their security vulnerabilities are putting themselves at greater risk of a violation, because regulators can’t analyze and find a potential HIPAA violation until the breach has link already occurred. There are three ways regulators find HIPAA violations:
- Investigating a data breach
- Investigating a complaint about a potential data breach
- HIPAA compliance audits
Two out of the three are violations found after a threat or breach has occurred. Audits are irregular and can happen with great lengths of time between them.
Organizations that are proactive and use user activity monitoring tools like ActivTrak’s Healthcare Bundle are more likely to find a potential HIPAA violation before the breach can occur. ActivTrak’s Healthcare Bundle comes with activity logging and alerts that can tell security administrators who is accessing PHI. Any unusual activities are then logged and reported for administrators to investigate.
2. Allowing Access to Data to Remain Open
Leaving portal access open after an employee’s role is changed or after they leave the company can be disastrous. When an employee stops being involved with a patient’s treatment, they should no longer have open access to that information. Employees who leave the company could access the data and take nefarious actions against the organization.
HIPAA security rules always require all PHI to be secured and any access to information should be used for the purpose of treatment, payment for healthcare, or other permitted operations. Access to PHI should be monitored and recorded to ensure PHI is being used appropriately, by the permitted staff.
3. Emailing ePHI Using Personal Email Accounts
Someone sending PHI to their personal email may have the best intentions in mind like working extra hours at home. However, removing PHI from its secure environment and into someone’s personal email puts that information at risk of exposure. Despite their right intentions, sending PHI to a personal email address is a violation and may be considered theft by regulators.
ActivTrak’s Healthcare Bundle offers screenshot flagging features allow administrators to review an employee’s treatment of PHI. Protected information is automatically blurred for privacy purposes and logs are safely kept for security review.
4. Accessing PHI on Unauthorized Devices
It’s becoming increasingly common for healthcare organizations to offer network access to personal phones and tablets. It’s part of living in a connected world and it introduces new challenges for healthcare IT departments to monitor all connected devices. Some healthcare organizations will provide devices for PHI access, as they are able to better monitor and manage security.
Employees should be informed on which devices are allowed to have access to PHI and the risks that come from accessing PHI on unauthorized devices. For example, someone’s personal tablet or phone could be stolen or used by someone other than the employee, making the PHI vulnerable.
5. Failure to enter a Business Associate Agreement with all Vendors
It’s rare for modern healthcare organizations to carry out all of their health care activities by themselves. Most organizations will work with a network of service providers and vendors for their devices, communications, billing and legal services. This makes it crucial to understand that HIPAA privacy rules only apply to covered entities – health plans, healthcare clearinghouses, and certain health care providers.
Entities outside of the organization must enter a Business Associate Agreement. This ensures that the business is following secure HIPAA practices and can be held accountable for the appropriate safeguard of PHI on behalf of the organization.
Following the HIPAA security rules and being proactive with your organization’s cybersecurity can help your organization stay ahead of potential security hacks and prevent violations. These common data compliance mistakes show that the smallest incidents of negligence can lead to bigger problems for the organization. Keeping your administrators on the heartbeat of who has access to what PHI can make the difference.
Regularly analyzing your organization’s HIPAA violation risk helps you stay ahead of potential threats and effectively block data breaches. ActivTrak’s Healthcare Bundle of user activity monitoring tools help keep a watchful eye over your employee’s activity with sensitive data and maintains record of any suspicious activities. Clients who are subject to HIPAA and want to utilize ActivTrak’s User Activity Monitoring software can request a Business Associate Agreement with ActivTrak. Ask about ActivTrak’s Healthcare Bundle and boost data security and HIPAA compliance in minutes.