Most common HIPAA mistakes healthcare organizations make
Having cutting-edge medical equipment is no longer enough to be a top-notch healthcare organization. Now that the internet plays a bigger role in virtually all industries, healthcare organizations need IT to store crucial patient data, as well. For instance, computer networks and the cloud are used to manage patient data instead of old-school logbooks and hard copies of documents.
Storing the patient database online makes it easier to access them in case the patient needs a new physician or a hospital transfer. But this new system can also put the patients’ confidential information at risk. Here are some of the most common Health Insurance Portability and Accountability Act (HIPAA) mistakes healthcare organizations make.
#1 Carelessness in using devices
Sensitive patient data that’s accessible via mobile devices is vulnerable to loss. Just look at what happened to Hartford Hospital when an employee brought a laptop home. Someone broke into the staff’s house and took the laptop, among other things, exposing 8,883 patients records and forcing the organization to pay a $90,000 fine.
This incident clearly shows that healthcare data theft isn’t so rare, especially since cloud computing has become commonplace among healthcare institutions. And with cloud computing, employees can access protected health information (PHI) using any device. The problems with this setup are: (1) personal devices are not as safe to use as the company-issued ones because they’re not made to meet PHI cybersecurity requirements; and (2) home computers can be accessed by unauthorized people, such as family members or friends.
#2 Incorrect sharing of PHI
PHI’s role is to make it easier for healthcare personnel to access patients’ files. This is why emailing PHI is not entirely in defiance of HIPAA, just as long as you follow certain rules.
First, you must ensure that emails containing PHI must be encrypted, which needs expertise and hands-on management. You can, however, send unencrypted PHI but with the involved patient’s informed consent. You must explain to him or her about the risks and possible consequences of sharing their medical records.
Besides email, some organizations use SMS or other messaging apps to share PHI. This method is even more dangerous, as intercepting text messages is easier. As a healthcare organization, protecting your e-PHI should be an utmost priority. Sharing them with unauthorized people and risking their exposure to the public can result in loss of patients’ trust, damage to your organization’s image, and humongous fines.
#3 Not getting insured for data breaches
Data breaches can still happen despite your best efforts to be 100% HIPAA-compliant. This is why having insurance coverage for data breaches is not a bad idea. Besides, premium insurance for such a policy can save you millions of dollars over time.
#4 Letting your MSP do all the work
Compliance with HIPAA and other laws can be a burden for some businesses, which is why they hire a managed services provider (MSP) to help them. This is a wise move, but you shouldn’t let all aspects of HIPAA compliance fall on your MSP’s shoulders.
To avoid data breaches, employees handling PHI should be trained in HIPAA policies and protocols. They should know that posting patient photos on Instagram and other social networking sites (on purpose or by accident) is a violation, even if names are omitted. They should also communicate via secure channels and be provided with text encryption programs in case they need to share PHI with other authorized people.
HIPAA compliance is no easy task, as the data that your organization possesses can literally cost a man his life. Let a reliable MSP like Integrated Technology Solutions help you. With our fast response time, IT support, and trustworthy team, you can focus on your company’s goals while we take care of your compliance. Contact us now!