Here are a few things you can do to avoid a data breach:
- Encrypt data at rest (on pc’s, usb drives, servers, etc.) If an encrypted device is lost or stolen you do not have to report it as a data breach. Simply password protecting is not enough and the average password on a pc can be broken in less than 5 minutes.
- Do a Risk Assessment. Find all of your protected data and secure it. Look hard at your network to make sure it is secure. Hire a professional who understands networks and IT security. HIPAA audits have shown a missing or inadequate Risk Assessment to be the most common audit failure.
- Do not allow your employees to transport unencrypted patient data on portable or mobile devices, forward it to personal e-mail accounts, or store it in free file sharing online services like DropBox.
- Ensure that you upgrade all Windows XP systems to Windows 7 and above. Microsoft has retired the operating system and is no longer providing support or updates.
- Ensure that ALL your business associates (those with access to PHI) have signed agreements in place. This includes IT personnel, shredding companies, lawyers, and other medical facilities.
- Don’t think that it can’t happen to you, to date the OIG and HHS have collected record sums for HIPAA and Fraud violations.
- Train your employees on the importance of compliance and its effects on your company as a whole.
Over the past year we’ve spoken to many in the medical profession regarding compliance and it’s alarming how many have failed our partial audit because they thought they were compliant.
Here are just 5 questions out of a possible 130+ for covered entities (facilities and individuals who provide services and bill health insurance companies):
- Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Inquire of management as to whether formal or informal policy and procedures exist covering the specific features of the HIPAA Security Rule information systems §164.306(a) and (b).
- Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports.
- Inquire of management as to whether the organization has assigned responsibility for the HIPAA security to a Security Official to oversee the development, implementation, monitoring, and communication of security policies and procedures.
- Inquire of management as to whether there are separate procedures for terminating access to ePHI when the employment of a workforce member ends, i.e., voluntary termination (retirement, promotion, transfer, change of employment) vs. involuntary termination (termination for cause, reduction in force, involuntary transfer).
These requirements go way beyond a simple password in preventing HIPAA data breaches but in the case of compliance, an ounce of prevention really is worth a pound of cure.