The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted to protect health insurance coverage for employees and their families. HIPAA is particularly useful when an employee is laid-off or shifting jobs.
Suffice to say, HIPAA compliance is an important facet in any organization. Here, we take a look at three bad practices or missteps that are surprisingly common when dealing with compliance concerns, leaving the door ajar for a possible leak or worse, a data breach.
While risk assessment is an important skillset to proactively identify risks, risk assessment training alone isn’t merely enough.
Here are three important pointers for organizations to look into, courtesy of Healthcare InfoSecurity.
Tighten Your Scrutiny Aimed at Contractors
In the environment of B2B industry and enterprise, your vendors, third-party clients and contractors as well as business associates are all likely to have your information in some form or another. While you’ve invested in cybersecurity measures for your organization, how certain are you of your business acquaintances handling your details?
It’s important to note that a fifth (that’s a staggering 20%) of breaches suffered by the United States Department of Health and Human Services are a direct result of a mishap due to a business associate.
It may alarm you further to learn that your organization is also held responsible for the actions or inactions of your associates, a steep price to pay due to shared liability laws.
This year, a new year’s resolution ought to include the following stipulations while focusing on contractors and business associates:
- Always ensure that your contractors have documents and procedures documented. This is basic business ethics 101 and will go a long way in providing a trail of evidence and disclosure in the case of a mishap.
- Make them understand that your information ought to be secured by them, instead of merely being shared by them.
- Have them Send regular awareness reminders to their employees after taking up the responsibility to train them routinely with information security and privacy drills.
- Have a basic security framework in place to aid your associates while entrusting them with your information. Even the simplest measures help.
- Always ensure that they have a risk management procedure in place.
Proactively Reach Beyond a Risk Management To-Do List
Yes, start with the risk management checklist first. Ascertain and find out the various administrative, physical and technical risks involved that may result in a breach.
Once this is done, implement a risk management program that goes beyond the scope of activities managing risks. This includes a log of mobile computing devices with remote access the Public Health Institute; staying abreast of new IoT technology; ensuring that big data analytics aren’t misused to falsely weigh in avoidable security practices and privacy risks. This also tasks such a updating your malware definitions, downloading and applying patches and more.
It is the lack of these measures that saw Tripe-S Management Corp pay a fine of $3.5 million for their non-compliance. They also agreed to firmly implement a corrective plan in order to establish an effective HIPAA compliance program. Some of their shortcomings include:
- Failure to implement the appropriate administrative, technical and physical safeguards.
- Failure to conduct or manage an accurate and thorough risk analysis.
- The impermissible disclosure of PHI to an outside vendor with whom the company did not have a proper business associate agreement. (Paperwork is important, see?)
- Failure to implement the sufficient security measures required to reduce risks and vulnerabilities to the company’s PHI.
Always Have an Educated Workforce
In a constantly evolving technological world wherein new devices and technologies enable healthcare workers to easily collect and share sensitive data, the basic principles of information security and data privacy are paramount. They need to be taught to workers in the industry.
Case in point, September 2015 saw Cancer Care Group agree to pay a $750,000 fine for HIPAA violations. The Group also agreed to administer and adopt a “robust corrective action plan” that would do the wrongs right by correcting “deficiencies in its HIPAA compliance program.”
A stipulation that went along with the fine included a mandate for the Cancer Care Group to review and revise its training program for employees. This is significant because the breach, an event that could have been avoided entirely, was caused by an incident wherein an employee left a laptop with unencrypted, clear text files of some 55,000 patients in an unsecured car.
Training drills and routines need to be implemented twice a year or at least once, at the very least. Preferably as soon as an employee gains employment or soon into his or her tenure. HIPAA has also mandated ongoing awareness communications and activities routinely throughout the year.
Education is fundamental to knowing and understanding concepts and the reasons behind why protocols and procedures exist. No matter what the size of your organization, it is important to invest your employees’ time in awareness communications and training.
Image credit: HIPAA.