Mitigating Cyber Risk — Complying with HIPAA Rules
The repercussions of data breaches can be daunting. A business that suffers a breach of unencrypted PHI or a ransomware attack must report the breach to the U.S. Department of Health and Human Services Office for Civil Rights.
A data breach is the loss or unauthorized disclosure of personal information that can uniquely identify an individual associated with your practice. The individual can be a patient, employee, business partner, or vendor, and the information disclosed can create financial or reputational harm to the individual. A data breach can occur in any number of ways, including the theft of unencrypted electronic devices or physical records, the public distribution of personal records,or a cyberattack.
The repercussions of data breaches can be daunting. A business that suffers a breach of unencrypted PHI or a ransomware attack must report the breach to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). This is the federal body with the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines.
A healthcare organization’s brand and reputation are also at stake. The OCR routinely investigates providers who suffer breaches affecting more than 500 individuals, and it maintains a searchable database (informally known as the “Wall of Shame”) that publicly lists all entities fined for breaches of this size.
Steps toward HIPAA compliance include:
Identification of all areas of potential vulnerability, including:
- Physical access to PHI, electronic health records (EHR), and paper records.
- Desktop and network security.
- Mobile devices.
- Vendor access to your network—from your janitorial service to your cloud storage provider.
- Development and thorough documentation of office processes, such as
- Patient sign-in sheets that ask for only minimal information.
- Physical placement of computers running EHR so they can’t be viewed by other patients, vendors, or other unauthorized individuals.
- Mandating that employees lock their computers whenever they leave— even for a short period.
- Procedures for the handling and destruction of paper records.
- Management and storage of patient photographs if they are part of the patient record. Note that The Joint Commission strongly advises obtaining an informed consent to photograph.
- Policies detailing which devices are allowed to contain PHI and under what circumstances those devices may leave the office.
- Encryption of all devices that contain PHI (laptops, desktops, thumb drives, and centralized storage devices). Make sure thumb drives are encrypted and the encryption code is not inscribed on, or included with, the thumb drive
- Training your staff on how to protect PHI. This includes not only making sure policies and procedures are HIPAA-compliant, but also instructing staff not to openly discuss patient PHI
- Audit and test your physical and electronic security policies and procedures regularly, including what steps to take in case of a breach. The OCR audits entities that have had a breach, as well as those that have not. The OCR will check if you have procedures in place in case of a breach. Taking the proper steps in the event of a breach may help you avoid a fine.
A thief impersonating a construction worker stole a laptop after gaining access to a physician’s office during a hospital expansion. The laptop was unencrypted and contained pediatric patients’ names, treatment information, and diagnoses as part of a research study. An OCR investigation lasted four years before it was dismissed.
A hospital lost unencrypted backup tapes during a remodeling project in its IT department.The tapes contained the information of 1.6 million pediatric patients, including names, Social Security numbers, dates of birth, diagnosis codes, and health insurance information. The tapes also included the information of 200,000 employees, physicians, and vendors. After more than 3 years, the OCR dismissed its investigation.
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.