What Providers Need to Know to Protect Their Practice Against a HIPAA Breach
Written by Joshua Kleinstreuer
Category: HIPAA Compliance
IN A NUTSHELL:
- All personal health information stored on portable devices must get encrypted
- Hackers target both small and large offices
- Staff needs to be diligent when sending out emails
The U.S. Department of Health and Human Services (HHS) posted a list of cases currently under investigation due to a HIPAA breach that affected at least 500 patients. This list details the types of breaches that occurred and a general description of how the unsecured protected health information got obtained.
The HIPAA Privacy Rule sets forth the circumstances detailing when and how using and divulging a patient’s individually identifiable health information is acceptable and when it is not. Patients have a privacy right to keep their protected health information safeguarded from getting accessed, used, or disclosed to people who are not permitted to view it.
Below is a list of some of the common types of breaches and what to do to protect your practice against a HIPAA breach.
Hacking and IT incidents occur when someone from outside of your business breaches your computer network or system. When they do, they can obtain unauthorized access to the data on it.
Hackers target both small and large offices. Oftentimes the smaller offices are the easier targets and they target businesses in the following ways, among others.
Hackers have used “phishing” software to obtain unauthorized access to health care facilities. These types of emails can be tricky to detect as a threat. Hackers can format the emails to look like they came from someone they believe you may do business with.
It is important to train everyone who has access to your email system not to disclose their passwords to anyone that isn’t authorized. Employees should forward requests to someone responsible for confirming the validity using a method other than email.
Staff needs to be diligent when sending out emails–sending an email or attachment to the wrong email address can result in authorized disclosure of patient information.
Perform a risk assessment on your network to confirm it is secure for HIPAA compliance. Your router needs to have a strong firewall in place and be password protected.
If your medical office is using Wi-Fi, make sure your office is set up so that your employees use a different Wi-Fi network than you provide for your patients and other guests.
Keep your physical server room locked at all times and limit the number of people allowed access to it.
Desktop computers can be accessed by anyone if they are left unattended while not locked behind a password protection screen. Make sure desktop computers get put into lockdown mode if personnel need to leave the area or room while patients are present. This includes desktops at the front desk, nurse’s station, and examination rooms.
Allocate resources to provide training to your staff to prevent unauthorized access and disclosure of your patients’ personal health information. Develop systems and training methods to address the common areas of risk.
Portable Electronic Devices
All personal health information stored on portable devices must get encrypted to avoid a HIPAA security breach. This includes any personal electronic devices employees may use in the course of their employment.
If filming is to take place at your office, you must get the consent of all patients whose information may be exposed during the filming. Failure to do so can result in heavy penalties being assessed against your business.
Civil and Monetary Penalties:
If a health care facility, network, or provider does not have sufficient protection and security in the event of a cyberattack or compliance breach, their reputation, finances, and future are all in jeopardy.
Civil violations (https://www.ama-assn.org/)
Unknowingly violates HIPAA: Penalty range: $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations
HIPAA violation: Reasonable Cause. Penalty range: $1,000 – $50,000 per violation, with an annual maximum of $100,000 for repeat violations
HIPAA violation: Willful neglect but violation is corrected within the required time period. Penalty range: $10,000 – $50,000 per violation, with an annual maximum of $250,000 for repeat violations
HIPAA violation: Willful neglect and is not corrected within required time period. Penalty range: $50,000 per violation, with an annual maximum of $1.5 million
Criminal penalties: (https://www.ama-assn.org/)
Criminal violations of HIPAA are handled by the DOJ. As with the HIPAA civil penalties, there are different levels of severity for criminal violations.
Covered entities and specified individuals, as explained below, who “knowingly” obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.
Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.
Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.
Learn More: Read our White Paper: How To Stay HIPAA-Compliant in The Digital Age