Recently, a small orthopedic practice in the US was penalized by HHS for flouting HIPAA rules and compromising on the security of patient data. The practice had failed to procure the services of a specialized provider to secure its network resulting in a serious breach. In yet another incident, a healthcare insurance company had to pay a hefty fine of $1.5 million and, at the same time, find itself listed in the “Wall of Shame” on the OCR website for its failure to carry out a comprehensive security evaluation. What these two instances highlight is that a lapse in HIPAA security compliance can invite severe punitive actions with wide ramifications. To avoid getting entangled in such hapless situations, your practice needs to be pro-active in preempting possible breaches. This blog underlines some of the important things that you need to carry out regularly to ensure you are not lagging in mandatory compliance requirements.
Perform regular security risk analysis:
Carry out thorough security audit of your practice and see to it that there are no major chinks in your armor. Check whether all the portable devices are encrypted and make sure that appropriate steps are taken to safe guard them against fire, floods, earth quake and so on. See to it that there is timely and accurate back up of data, and also ensure that computers are theft-proof by using appropriate firewalls and other security measures. Furthermore, make sure that your employees have minimum level of access to patient information and there is appropriate termination procedure when the employee quits the job.
Train employees:
Create a training regime that helps your employees to spot phishing scams, suspicious links in emails and other people with fraudulent intentions. They should also be instructed to avoid conducting business on public Wi-Fi, and minimize sharing of information on social networks.
Encrypt patient information:
Encrypt all the patient data that resides on computers and other portable devices. Whether it is EHRs, word documents, excel spreadsheets, or scanned images, make sure that it can only be accessed by individuals with appropriate administrative access.
Check employee data theft:
Employee data theft is one of the leading causes of HIPAA security violations in the industry. And the easiest way to make sure that none of the confidential data falls into wrong hands is by making sure that employees only get access to information that they need to perform their duties. Maintaining and monitoring an up-to-date data log can also be helpful with this regards.
Create a breach response plan:
Create a response plan to tackle any kind of data breaches. This should include a detailed explanation of everything starting from identification of individuals who will be part of the response team and the actions that they are supposed to take to address the breach. Additionally, you need to take necessary measures to prevent similar breaches from occurring in the future. Every plan has to be properly documented and every employee has to be trained to deal with major crises.
These actions may seem to be very rudimentary, but they can go a long way in avoiding HIPAA security breaches. Also, these steps will help you to win the trust and confidence of your patients. This is because they will see your practice as one of those rare healthcare organizations committed to safe-guard records and maintain confidentiality at all costs.